12-06-2024 12:45 PM
Hello Everyone
I am looking for suggestions on how we could protect our GlobalProtect VPN. We have been seeing people trying to perform brute-force attacks on random user accounts daily. We do have MFA set up, but is there any automation we could implement with Palo Alto Firewall to automatically block IP addresses after a certain number of failed attempts?"
12-06-2024 03:00 PM
Hi @dshastri ,
Here is a great place to start. https://www.packetswitch.co.uk/how-to-protect-globalprotect-portal-from-brute-force-attack/
I have used all of these methods. They will significantly decrease the amount you are getting.
The 4th one is a vulnerability signature that does mostly what you ask. I found it to not be as effective since most of my hackers were low and slow. The signature only detects login attempts and not failures. So, you can't tune it too tight or valid users may be blocked.
GP can still be used without the portal page enabled. (You actually can still download software by going to https://your.domain.com/global-protect/getsoftwarepage.esp, but that's another story.)
Thanks,
Tom
12-09-2024 02:49 PM
Hello,
In addition to this, I recommend implmenting Zone Protection profiles.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clm9CAC
Regards,
12-11-2024 06:28 AM
Thank You TomYoung the only thing I am missing from the documentation was Blacklist IPs Using a Vulnerability Profile. Do you know if Palo Alto has a pre authentication check where if the user doesn't exist on the group, it drops the connection?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
