Unauthorized GP login attempts

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Unauthorized GP login attempts

L0 Member

Hi All – Just curious on when to get concerned about unauthorized GP login attempts. I’ve had a person from the RU making login attempts on our GP for about a year now. I speculate they are new at this, after a while they learned how to mask the ‘HOST NAME’ and use VPN, tho they do use the same IP and region, like I said, probably new at this. So for the past year they’d make a dozen attempts a day with generic user names like temp, temp1, user, admin, administrator, vpn, scan and random names, anne, carol, bill, none to be of concern. The past week they upped their attempts to north of 1k per day. Question is, when do I get concerned? Any suggestions to block them or do I just continue to monitor as long as the usernames stay generic and non-threatening to our security? Thanks - Richard

3 REPLIES 3

Cyber Elite
Cyber Elite

Objects > Security Profiles > Vulnerability Protection

 

Look up ID 40017 and adjust it according to your needs (after how many failed login attempts in x amount of seconds you block source IP for x amount of time).

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi @chipabf ,

Traffic to GlobalProtect Portal/Gateway is subject of policy inspection - meaning you need to have Security rule allowing such traffic. For most deployments this traffic is allowed by the default intra-zone rule at the bottom (because traffic is from source zone untrust/outside to zone unstrust/outside).

The benefit from this is that you can

- Create explicit rule allow traffic to your GP public IP

- Using Regions object https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-regions you can list allowed (or blocked) countries or world regions. If you know that you users will most likely never connect from Russia you can block it.

- In the same explicit rule you can apply Vulnerability profile enabling server-side signatures (no need for client-side).

- (optional) I usualy set the action to block-ip inside this specific Vuln profile. This way FW will add any bad IP in block-list for N amount of time if it triggers any of the known Vulnerability signatures.

- There are some GP specific signature including GP bruteforce login.

 

In addition to the explicit security rule with the specific Vuln profile you could create DoS policy rule. I haven't personally done such, but similar to any other normal traffic passing through the FW, you could create DoS rule matching traffic to your GP and prevent those attempts that are too agressive and are causing high amount of connection attempts.

Cyber Elite
Cyber Elite

Hi @chipabf ,

 

I used to get those all the time.  Here are some of the things I have done:

 

  1. The simplest method is to create an inbound block rule from any countries that don't require inbound access.  My solution in steps 2-4 is a little more complicated.  It uses a whitelist rather than a blacklist approach.  This not only blocks other countries, but also attempts to access ports that are not open.
  2. Disable the GP portal login page.  Most, if not all, of the attempts are HTTP-based and go away once the web page is disabled.  You don't need this page if you are not using it to distribute the client software.
  3. Do not use the intrazone-default rule for access to the outside interface.  Create a separate rule that allows panos-global-protect and, if configured, ipsec-esp-udp, and source this rule only from your home country.  Create other rules for S2S VPNs, BGP, etc. with specific sources.  Then all other countries are blocked.  (Exceptions can be made if a user goes out of country.)
  4. Then create a universal rule that denies access from the outside to any zone.  You may break things if #2 is not done completely!  Have a backout plan.

That has eliminated the vast majority of attempts.  However, I still am getting a few.  I have MFA configured for my GP.  So, I don't have to figure it out today.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 2020 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!