This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

URL filtering or tightening up on GlobalProtect security rule?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

URL filtering or tightening up on GlobalProtect security rule?

inSync-MarkValpreda
L2 Linker

‎05-03-2025 08:04 AM - edited ‎05-03-2025 08:14 AM

I have a security rule for my GlobalProtect, and want to see if I can make it even tighter....

  • Source
    • Zone: untrust (outside)
    • Address\User\Device: Any
  • Destination
    • Zone: untrust 
    • Address: IP of my interface/GlobalProtect IP
    • Device: Any
  • Application
    • Any
  • Service/URL
    • GP-4501 (4501/udp)
    • service-https
    • Category: Any
  • Actions
    • Just a vulnerability group that blocks brute force (40017) 

Thinking there is an opportunity to lock that down even more. Maybe with URL filtering? Maybe with applications? I am only seeing ipsec-esp-udp, ssl, and panos-global-protect as the biggest applications. 

 

I do have my home IP address whitelisted on the interface management as a 'just in case' sort of thing....so I don't want to inadvertently kill that. Maybe put my emergency IP addresses into a different security group?

 

Thanks for any suggestions or criticisms! 

0 Likes Likes
1 REPLY 1

BPry
Cyber Elite
Cyber Elite

‎05-06-2025 02:13 PM

@inSync-MarkValpreda,

I would utilize app-id for this and do away with your any application and service rule that you have currently. Also note that if you're security profile is only accounting for 40017 you're missing 16 other signatures related to GlobalProtect. I don't much see a point in maintaining a profile specific to GlobalProtect and trying to manually specify IDs that should be active.

 

Can you limit the sources that you're allowing to hit your portal/gateway? You can cut back exposure and scanning/probing by limiting to the regions that you actually need active; while this doesn't prevent a targeted attack by any means it at least cuts back on noise.

 

@inSync-MarkValpreda wrote:

I do have my home IP address whitelisted on the interface management as a 'just in case' sort of thing....so I don't want to inadvertently kill that. Maybe put my emergency IP addresses into a different security group?

Why? Do you have a static IP at your house or are you just relying on it staying the same?

Personally this is never something that I would facilitate or allow any of my staff to implement. The risk analysis for this would never have the benefit of this outweigh the risk that is introduced. Things either wait until someone can be onsite and restore things properly, or you implement a proper out-of-band connection.

0 Likes Likes
  • 254 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks