- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-14-2023 07:18 AM
Hi All – Just curious on when to get concerned about unauthorized GP login attempts. I’ve had a person from the RU making login attempts on our GP for about a year now. I speculate they are new at this, after a while they learned how to mask the ‘HOST NAME’ and use VPN, tho they do use the same IP and region, like I said, probably new at this. So for the past year they’d make a dozen attempts a day with generic user names like temp, temp1, user, admin, administrator, vpn, scan and random names, anne, carol, bill, none to be of concern. The past week they upped their attempts to north of 1k per day. Question is, when do I get concerned? Any suggestions to block them or do I just continue to monitor as long as the usernames stay generic and non-threatening to our security? Thanks - Richard
09-14-2023 07:41 AM
Objects > Security Profiles > Vulnerability Protection
Look up ID 40017 and adjust it according to your needs (after how many failed login attempts in x amount of seconds you block source IP for x amount of time).
09-14-2023 07:45 AM
Hi @chipabf ,
Traffic to GlobalProtect Portal/Gateway is subject of policy inspection - meaning you need to have Security rule allowing such traffic. For most deployments this traffic is allowed by the default intra-zone rule at the bottom (because traffic is from source zone untrust/outside to zone unstrust/outside).
The benefit from this is that you can
- Create explicit rule allow traffic to your GP public IP
- Using Regions object https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-regions you can list allowed (or blocked) countries or world regions. If you know that you users will most likely never connect from Russia you can block it.
- In the same explicit rule you can apply Vulnerability profile enabling server-side signatures (no need for client-side).
- (optional) I usualy set the action to block-ip inside this specific Vuln profile. This way FW will add any bad IP in block-list for N amount of time if it triggers any of the known Vulnerability signatures.
- There are some GP specific signature including GP bruteforce login.
In addition to the explicit security rule with the specific Vuln profile you could create DoS policy rule. I haven't personally done such, but similar to any other normal traffic passing through the FW, you could create DoS rule matching traffic to your GP and prevent those attempts that are too agressive and are causing high amount of connection attempts.
09-14-2023 07:59 AM
Hi @chipabf ,
I used to get those all the time. Here are some of the things I have done:
That has eliminated the vast majority of attempts. However, I still am getting a few. I have MFA configured for my GP. So, I don't have to figure it out today.
Thanks,
Tom
05-26-2024 01:46 PM
Hey Tom,
I created a ticket a while ago about wanting to disable the GP portal, but support told me it's not possible. Can you let know how you did this? Is there a KB?
Cheers
05-26-2024 05:13 PM
Hi @hhiggins ,
Absolutely! Here it is -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbpCAC. My GP portal page stays disabled at all times. As the KB says, GP users can still log in.
You don't even need to enable it to download software. Users can go directly to the URL below with the login page disabled. (That's another story.)
https://yourdnsname.yourdomain.com/global-protect/getsoftwarepage.esp
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!