GlobalProtect - bruteforce - limit user/password guessing

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect - bruteforce - limit user/password guessing

L0 Member

I now that this topics was discussed 100X times about GlobalProtect bruteforce. 

 

It is possible po setup GlobalProtect policy in a way, if a user is not part of any AD group, than no AD/LDAP authentication is beeing trigered to internal AD. 

 

We are seeing bruteforce attempt with non-existing AD users  and we want to limit this.

 

Br, Luka

2 REPLIES 2

Cyber Elite
Cyber Elite

@LukaKrizman,

This isn't a possibility in PAN-OS at the moment. PAN-OS will always attempt to authenticate the user provided and then validates that user against the allow list if the authentication was successful.

 

You could automate blocking any IP address that attempts to login with an invalid username easily before waiting for a bruteforce to actually be identified. I'd personally have some logic to validate that the IP address isn't in the list of the current or previous users for the gateways prior to blocking it though; people have sausage fingers and you'd need a bit of logic to prevent blocking legitimate users who just mistype their username.

Is there any chance to push this feature into development? Does anybody knows how to report to PA to do it?

 

  • 314 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!