This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Current GlobalProtect scanning campaign

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Current GlobalProtect scanning campaign

jstrubberg
L1 Bithead

‎04-04-2025 09:27 AM

We've been tracking the scanning campaign that made the news recently concerning scanning and dictionary attacks against GlobalProtect portals.  We've been able to put together a parser to pull and deduplicate IP addresses from our logs for those attempts.  Anyone doing something similar? 
Palo Alto, would there be interest in ingesting these somehow to create a block list of some kind?  I'm sure it's the same actors across multiple customers. 

0 Likes Likes
2 REPLIES 2

TomYoung
Cyber Elite
Cyber Elite

‎04-04-2025 11:39 AM

Hi @jstrubberg ,

 

Here is a detailed discussion of the issue -> https://live.paloaltonetworks.com/t5/globalprotect-discussions/use-auto-tagging-to-block-failed-glob....

 

Here is another post that uses automation to update an EDL -> https://live.paloaltonetworks.com/t5/general-topics/automatically-blocking-ip-s-after-a-certain-numb....

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

jstrubberg
L1 Bithead

‎04-04-2025 11:57 AM

Thanks Tom.  The tagging option seems like it could land you in a false positive situation if you aren't very careful with the timing of the tag. As for the brute force blocking, in my situation I don't think it would trigger.  Today for instance, I've logged about 1100 attempts from 614 distinct IP addresses. 

What I do have is a very distinct error message in the system log that never happens to a registered user.  I'm using that to parse out bad actor IPs.  My next step is to feed that list back to the logs and see if they ever hit anything other than my GlobalProtect portal to confirm it's nothing but bad actor traffic, and then I will build an EDL with them. 

Was just wondering if there might be a large movement afoot after seeing this week's new article come out about the subject.   

0 Likes Likes
  • 288 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks