This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Global Protect Embargo Rules

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect Embargo Rules

Jonas_thell
L0 Member

‎02-04-2025 06:37 AM - edited ‎02-04-2025 06:55 AM

Hi!

 

Been trying the Embargo Rule for Geo Location restrictions in for Global Protect in Prisma Cloud. This works prefect to exclude the countries you do not want logins from.

 

What I would like to know is if someone been able to use similar rules to add EDLs or Palo Alto Built in EDLs in the same type of rule. I cannot find any information on a solution, but some finding suggested it should work.

 

An even better way would be to be able to add a Dynamic Group to the rule dropping every attempt by non-authorized users. Or users with a domain prefix. All bad attempts on my GP are by single names like "Adminp", "john" and " user1".

 

This is part of my work to minimize bad login attempts in Global Protect. We use SAML and 2factor authentication so it's not that I am concerned about. It just looks bad and would be in Palo Alto's interest to minimize the insane number of logins in Prisma Access.

 

Br

Jonas

0 Likes Likes
1 REPLY 1

laurence64
L4 Transporter

‎05-05-2025 01:26 AM

Hi

 

I have literally just been looking at this myself this morning, there is a KB article here Brute force attacks seen on Prisma Access portal from specific ... - Knowledge Base - Palo Alto Netw... that I am sure you have seen but does say that you can use pre-defined and custom EDL's in the embargo rules, my only concern with using GEO blocking for embargo rules is that a simple VPN would potentially (after some trial and error on the part of the attacker I guess) subvert them, SAML is a really good way to go and I have implemented certificate requirement as well to the portal, I still get the same amount of logs just that they all say "certificate not present" or words to that effect in the logs.

As a test I created the rule suggested in the link to the Embargo Rule Creation with my own public IP as the source to see what I could reach after implementing the steps in the documentation, it did indeed block my access to the portal, so I would assume that the documentation is all good and you can use EDL's 

Probably the best way would be to publish an EDL created from some logic from log forwarding then consume that to block repeated attempts, this is where you could write the logic you suggest as repeated attempts from addresses over time or even some regex to ensure that only usernames with the expected format would not trigger the block.

Hope that Helps!

Check out my YouTube channel - https://www.youtube.com/@mode4480
0 Likes Likes
  • 575 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks