This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Block access to countries outside the GlobalProtect VPN

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Block access to countries outside the GlobalProtect VPN

Go to solution
ccortijo
L2 Linker

‎12-26-2023 01:38 AM 

Good morning, reviewing the GlobalProtect logs I see brute force attacks from outside my country Spain.

I have tried to create security policies that prevent these attempts but none have matched.

In the portal configuration (external) I have tried to put Spain as high priority and the others as None but the FW does not give me that option.

I attach images of the attempts

Any ideas?

Thank you.
Preview file
122 KB
0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
joergsch1
L1 Bithead
In response to ccortijo

‎12-26-2023 04:56 AM

Without the column titles these are hard to read (are the titles translated to Spanish as well?).

If I understand your setting correct, then you are blocking access from sources other than Spain to the portal if the application is panos-global-protect.

Can you check the log entries of the brute-force access (check for application, zones, port, rule name)? The detected application might be ssl or something different. If that's the case, then your rule does not match.

View solution in original post

0 Likes Likes
(1)

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎12-26-2023 03:52 PM

Hi @ccortijo ,

 

Traffic from the untrust zone to the interface in the same untrust zone is allowed by the intrazone-default rule.  The easiest way to solve your problem is to create a drop rule (which will be above intrazone-default) that will drop all countries you do not want.

 

Rule Type:  intrazone

Source Zone:  Untrust

Source Address:  List you countries you want to allow and check Negate.

Destination Address:  Portal IP (could also be any if you want to block for all public IP addresses)

Application:  Any

Service/URL Category:  Any

Action:  Drop

 

You can choose not to log if you don't want the clutter, but you may need to enable for troubleshooting.

 

You can also stop 99% of the brute force attacks by disabling the portal login page.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

2 people found this solution to be helpful.
(1)
7 REPLIES 7

Go to solution
joergsch1
L1 Bithead

‎12-26-2023 02:29 AM

The setting on the portal is used by the clients once authenticated (which is too late on your issue).

You might need to address this on the security policy which grants access to the portal (and gateway). Instead of granting "any" (or all public IPs, ...), you need to use the region "ES (Spain)" in the security policy.

0 Likes Likes

Go to solution
ccortijo
L2 Linker

‎12-26-2023 04:08 AM 

Hello,

Thanks for responding, I have a policy applied but it doesn't seem to apply.

I attach images of the GlobalProtect configuration, NAT and security policies
Preview file
14 KB
Preview file
5 KB
Preview file
10 KB
Preview file
5 KB
Preview file
5 KB
0 Likes Likes

Go to solution
joergsch1
L1 Bithead
In response to ccortijo

‎12-26-2023 04:56 AM

Without the column titles these are hard to read (are the titles translated to Spanish as well?).

If I understand your setting correct, then you are blocking access from sources other than Spain to the portal if the application is panos-global-protect.

Can you check the log entries of the brute-force access (check for application, zones, port, rule name)? The detected application might be ssl or something different. If that's the case, then your rule does not match.

0 Likes Likes
(1)

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎12-26-2023 03:52 PM

Hi @ccortijo ,

 

Traffic from the untrust zone to the interface in the same untrust zone is allowed by the intrazone-default rule.  The easiest way to solve your problem is to create a drop rule (which will be above intrazone-default) that will drop all countries you do not want.

 

Rule Type:  intrazone

Source Zone:  Untrust

Source Address:  List you countries you want to allow and check Negate.

Destination Address:  Portal IP (could also be any if you want to block for all public IP addresses)

Application:  Any

Service/URL Category:  Any

Action:  Drop

 

You can choose not to log if you don't want the clutter, but you may need to enable for troubleshooting.

 

You can also stop 99% of the brute force attacks by disabling the portal login page.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
2 people found this solution to be helpful.
(1)

Go to solution
ccortijo
L2 Linker
In response to joergsch1

‎12-26-2023 11:11 PM

Thank you very much for the help and the idea!

I monitored a traffic log from a malicious IP that was performing brute force attacks and saw what parameters were necessary to make my policy match.

It worked!

0 Likes Likes

Go to solution
ccortijo
L2 Linker
In response to TomYoung

‎12-26-2023 11:12 PM

Thank you very much for the help!

It worked!

Go to solution
B.Alimov
L1 Bithead
In response to TomYoung

‎07-29-2024 03:48 PM

Hello Tom,

 

I have same situation Global Protect portal is configured on WAN interface, but what ever security policy I made to block to GP Web page it is not working, I tried your advice creating intrazone policy to block specifically to tcp/443 port but it is not catching this policy.

Where I'm having mistake on configuration I'm puzzled right now.

0 Likes Likes
  • 2 accepted solutions
  • 6954 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks