This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Use Auto-Tagging to block failed Global Protect login attempts

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Use Auto-Tagging to block failed Global Protect login attempts

Fluck
L1 Bithead

‎06-03-2024 12:16 PM

hi,

we use SAML for our Global Protect Portal and Gateway Authentication, so all logins are automatically forwarded to our IdP and are being processed there.

But for whatever reason we sometimes face Brute Force attacks on our portal, where all kinds of generic users are being tried to authenticate against the Portal:

1.png

for my understanding this login attempts will never be sucessful, as its not even forwarded to our IdP.

I guess it's a curl that is doing these login attempts.

but however, I take failed logins serious and have a Policy that blocks all traffic from these source IPs.

This list already got very long and I want to avoid doing this in a manual way.

I found there is a way of using auto-tags for automated security actions:
Use Auto-Tagging to Automate Security Actions (paloaltonetworks.com)

unfortunately this manual explains it very well for Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, where rules work perfectly, but my required Global Protect Logs are only mentioned to be configured at Device - Log settings, where I can not configure a build-in Action, like automatic Tagging.

So I wonder how I can automate my policy with the mentioned Global Protect Logs?

0 Likes Likes
4 REPLIES 4

Claw4609
L5 Sessionator

‎06-03-2024 01:06 PM

Hello,

 

Assuming you have a vulnerability profile applied on your GP interface, is it triggering the brute force vulnerability? You can make various changes to this ID to fit your needs. Where you can set the action to block IP. 

Claw4609_0-1717444867944.png

Claw4609_2-1717444915162.png

 

 

At the end of the day, while certain actions can be taken, its a public facing site, you're going to have people trying to get into it. Depending on your SAML auth you could always set certain restrictions on that side as well. Presumably its not being forwarded to your IdP because they arent specifying the domain.

 

0 Likes Likes

Fluck
L1 Bithead

‎06-03-2024 11:58 PM

Hi,

 

yes, a vulerability profile is applied on the GP interface, but it is not triggered, because there are only 2 logins within a 7 minute timerange.

of course i can configure the vulnerability protection for up to 2 logins within a 10 minute timerange, but i though there was a better way to archive this, as it was also mentioned in a reddit post, that auto tag is the better option:

Block GlobalProtect brute force attack? : r/paloaltonetworks (reddit.com)

 

but they are also only referring to the Auto tagging article of Palo Alto which doesn't really explain how to do it in on the log settings.

0 Likes Likes

Raido_Rattameister
Cyber Elite
Cyber Elite

‎06-04-2024 05:13 AM

Be careful with brute force signature 40017.

It counts how many 32256 events happen during configured amount of time.

Issue is that both successful and failed logins generate 32256.

So if you have multiple users connecting to GlobalProtect from same source IP it is easy to trigger 40017 and block source IP of legit users.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Fluck
L1 Bithead

‎06-13-2024 06:16 AM

has noone any idea how to block these Brute Force attacks?

we currently get about 5.000 attempts per day, each of them creates a ticket through our system log that creates an email.

So right now I check the IP in the email and put it manually in a policy of blocked IPs.

Then I have to close each ticket, which almost costs me half of the day.

Of course i can filter out the logon attempts, but that would just mean I don't see it anymore, not that I block these attacks.

I don't get why the Palo Alto documentation is sometimes so extremely bad.

0 Likes Likes
  • 542 Views
  • 4 replies
  • 0 Likes
  • 47 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks