08-01-2025 01:01 PM
Good afternoon!
My Global Protect has 2FA set up so I'm only somewhat concerned about the number of fake connections I'm getting in the auth logs. They're all being routed to the identity provider and are getting squashed. However, I'd like very much to stomp these connections earlier in the chain and save myself some bandwidth. I've noted that these bogies are often trying multiple usernames from the same IP address.
Is there a way to put these IPs on a timeout and silently drop any connection attempts for, say, a day or a week?
Thanks to all for looking!
08-03-2025 10:20 AM
The best way to block GlobalProtect brute-force attempts at the firewall is to use a Vulnerability Protection Profile.
Create a Vulnerability Protection Profile: Go to Objects > Security Profiles > Vulnerability Protection.
Add a block-ip exception: Edit the profile and add an exception for signature ID 40017 ("Palo Alto Networks GlobalProtect Authentication Brute Force Attempt").
Configure the block: Set the action to block-ip and define the number of failed attempts, the time window, and the block duration (e.g., 604800 seconds for a week).
Apply the profile: Apply this new profile to the security policy that allows traffic to your GlobalProtect portal.
This will automatically and silently drop connections from a source IP after a set number of failed attempts, preventing them from ever reaching your identity provider.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
