- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-26-2023 01:38 AM
Good morning, reviewing the GlobalProtect logs I see brute force attacks from outside my country Spain.
I have tried to create security policies that prevent these attempts but none have matched.
In the portal configuration (external) I have tried to put Spain as high priority and the others as None but the FW does not give me that option.
I attach images of the attempts
Any ideas?
Thank you.
12-26-2023 04:56 AM
Without the column titles these are hard to read (are the titles translated to Spanish as well?).
If I understand your setting correct, then you are blocking access from sources other than Spain to the portal if the application is panos-global-protect.
Can you check the log entries of the brute-force access (check for application, zones, port, rule name)? The detected application might be ssl or something different. If that's the case, then your rule does not match.
12-26-2023 03:52 PM
Hi @ccortijo ,
Traffic from the untrust zone to the interface in the same untrust zone is allowed by the intrazone-default rule. The easiest way to solve your problem is to create a drop rule (which will be above intrazone-default) that will drop all countries you do not want.
Rule Type: intrazone
Source Zone: Untrust
Source Address: List you countries you want to allow and check Negate.
Destination Address: Portal IP (could also be any if you want to block for all public IP addresses)
Application: Any
Service/URL Category: Any
Action: Drop
You can choose not to log if you don't want the clutter, but you may need to enable for troubleshooting.
You can also stop 99% of the brute force attacks by disabling the portal login page.
Thanks,
Tom
12-26-2023 02:29 AM
The setting on the portal is used by the clients once authenticated (which is too late on your issue).
You might need to address this on the security policy which grants access to the portal (and gateway). Instead of granting "any" (or all public IPs, ...), you need to use the region "ES (Spain)" in the security policy.
12-26-2023 04:56 AM
Without the column titles these are hard to read (are the titles translated to Spanish as well?).
If I understand your setting correct, then you are blocking access from sources other than Spain to the portal if the application is panos-global-protect.
Can you check the log entries of the brute-force access (check for application, zones, port, rule name)? The detected application might be ssl or something different. If that's the case, then your rule does not match.
12-26-2023 03:52 PM
Hi @ccortijo ,
Traffic from the untrust zone to the interface in the same untrust zone is allowed by the intrazone-default rule. The easiest way to solve your problem is to create a drop rule (which will be above intrazone-default) that will drop all countries you do not want.
Rule Type: intrazone
Source Zone: Untrust
Source Address: List you countries you want to allow and check Negate.
Destination Address: Portal IP (could also be any if you want to block for all public IP addresses)
Application: Any
Service/URL Category: Any
Action: Drop
You can choose not to log if you don't want the clutter, but you may need to enable for troubleshooting.
You can also stop 99% of the brute force attacks by disabling the portal login page.
Thanks,
Tom
12-26-2023 11:11 PM
Thank you very much for the help and the idea!
I monitored a traffic log from a malicious IP that was performing brute force attacks and saw what parameters were necessary to make my policy match.
It worked!
12-26-2023 11:12 PM
Thank you very much for the help!
It worked!
07-29-2024 03:48 PM
Hello Tom,
I have same situation Global Protect portal is configured on WAN interface, but what ever security policy I made to block to GP Web page it is not working, I tried your advice creating intrazone policy to block specifically to tcp/443 port but it is not catching this policy.
Where I'm having mistake on configuration I'm puzzled right now.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!