This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to find IP address of user connecting to GlobalProtect VPN

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to find IP address of user connecting to GlobalProtect VPN

FelixO
L0 Member

‎07-12-2022 06:25 AM

Hi, 

can someone tell me how to find the home IP address of a user who has connected to GlobalProtect?


I want to be able to audit GlobalProtect connections to ensure that they are coming from the actual home network of the user rather than from the IP address of an attacker.

 

Thanks

0 Likes Likes
1 REPLY 1

BPry
Cyber Elite
Cyber Elite

‎07-12-2022 01:02 PM

@FelixO,

On the GP logs on the firewall, you'll find a field for public_ip that will give you this information. If you're planning on looking at this information, I'd highly recommend building out a script and using the API to validate this information for those that connect. 

 

Personally, I would make this expanded a bit. Verify that the IPs connecting to your network are coming from where you expect them, sending alerts if it's from a location that you wouldn't expect. I'd personally not automatically block identified addresses, you'll have people connecting from random locations if they use a consumer VPN and connect to your Portal or gateway. 

I'd have a second script, or the same one, that pays vastly more attention to the recorded machinename of connected clients. If that machine name changes I send alerts to relevant people to verify the endpoint and the user connecting. I find this information is better at identifying abnormal connections than simply paying attention to the IP that the user is connecting from; once you add in the required exceptions for expected locations it's easy to see ways someone with phished credentials or malicious intentions could bypass your other checks. 

0 Likes Likes
  • 3774 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks