Block access to countries outside the GlobalProtect VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Block access to countries outside the GlobalProtect VPN

L2 Linker
Good morning, reviewing the GlobalProtect logs I see brute force attacks from outside my country Spain.

I have tried to create security policies that prevent these attempts but none have matched.

In the portal configuration (external) I have tried to put Spain as high priority and the others as None but the FW does not give me that option.

I attach images of the attempts

Any ideas?

Thank you.
2 accepted solutions

Accepted Solutions

Without the column titles these are hard to read (are the titles translated to Spanish as well?).

If I understand your setting correct, then you are blocking access from sources other than Spain to the portal if the application is panos-global-protect.

Can you check the log entries of the brute-force access (check for application, zones, port, rule name)? The detected application might be ssl or something different. If that's the case, then your rule does not match.

View solution in original post

Cyber Elite
Cyber Elite

Hi @ccortijo ,

 

Traffic from the untrust zone to the interface in the same untrust zone is allowed by the intrazone-default rule.  The easiest way to solve your problem is to create a drop rule (which will be above intrazone-default) that will drop all countries you do not want.

 

Rule Type:  intrazone

Source Zone:  Untrust

Source Address:  List you countries you want to allow and check Negate.

Destination Address:  Portal IP (could also be any if you want to block for all public IP addresses)

Application:  Any

Service/URL Category:  Any

Action:  Drop

 

You can choose not to log if you don't want the clutter, but you may need to enable for troubleshooting.

 

You can also stop 99% of the brute force attacks by disabling the portal login page.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

7 REPLIES 7

L1 Bithead

The setting on the portal is used by the clients once authenticated (which is too late on your issue).

You might need to address this on the security policy which grants access to the portal (and gateway). Instead of granting "any" (or all public IPs, ...), you need to use the region "ES (Spain)" in the security policy.

L2 Linker
Hello,

Thanks for responding, I have a policy applied but it doesn't seem to apply.

I attach images of the GlobalProtect configuration, NAT and security policies

Without the column titles these are hard to read (are the titles translated to Spanish as well?).

If I understand your setting correct, then you are blocking access from sources other than Spain to the portal if the application is panos-global-protect.

Can you check the log entries of the brute-force access (check for application, zones, port, rule name)? The detected application might be ssl or something different. If that's the case, then your rule does not match.

Cyber Elite
Cyber Elite

Hi @ccortijo ,

 

Traffic from the untrust zone to the interface in the same untrust zone is allowed by the intrazone-default rule.  The easiest way to solve your problem is to create a drop rule (which will be above intrazone-default) that will drop all countries you do not want.

 

Rule Type:  intrazone

Source Zone:  Untrust

Source Address:  List you countries you want to allow and check Negate.

Destination Address:  Portal IP (could also be any if you want to block for all public IP addresses)

Application:  Any

Service/URL Category:  Any

Action:  Drop

 

You can choose not to log if you don't want the clutter, but you may need to enable for troubleshooting.

 

You can also stop 99% of the brute force attacks by disabling the portal login page.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Thank you very much for the help and the idea!

I monitored a traffic log from a malicious IP that was performing brute force attacks and saw what parameters were necessary to make my policy match.

It worked!

Thank you very much for the help!

It worked!

Hello Tom,

 

I have same situation Global Protect portal is configured on WAN interface, but what ever security policy I made to block to GP Web page it is not working, I tried your advice creating intrazone policy to block specifically to tcp/443 port but it is not catching this policy.

Where I'm having mistake on configuration I'm puzzled right now.

  • 2 accepted solutions
  • 9033 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!