11-01-2023 12:19 PM
We don't have users in Switzerland / Netherlands, but I can see consistent log in attempts from the GlobalProtect logs.
I know the true locations is masked, but this is a persistent thing, wondering if you guys also get this?
I've geo-blocked suspicious regions already, but these log ins still visible, maybe my policy is not working right.
Probably implement MFA for GlobalProtect as well.
11-01-2023 01:36 PM
Hi RandyMeng,
we also see these kind of logins.
The Source User "cole" is not a real user. Right?
The "attacker" may also use real login names. That is, because you maybe use the URL "vpn.abcde.com" and the attacker find some abcde.com email addresses on Linkedin or your website.
The world strongly recommends to activate MFA for any kind of logins!
You can also use HIP profiles (if GlobalProtect license is active) or certificates to protect you from credential theft.
Double check your geo blocking rule.
Hope this helps.
Regards,
Peter
11-01-2023 03:47 PM
Correct, Cole is not a real user, I think they're just brute force and throwing mud on the wall. It'd be nice to block even the attempts all together, hence the geo-block policy.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
