This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Suspicious VPN log in attempts - do you guys also get this?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Suspicious VPN log in attempts - do you guys also get this?

RandyMeng
L1 Bithead

‎11-01-2023 12:19 PM

We don't have users in Switzerland / Netherlands, but I can see consistent log in attempts from the GlobalProtect logs.

 

I know the true locations is masked, but this is a persistent thing, wondering if you guys also get this?

 

I've geo-blocked suspicious regions already, but these log ins still visible, maybe my policy is not working right.

 

Probably implement MFA for GlobalProtect as well.

 

RandyMeng_0-1698866278406.png

RaNsUm
0 Likes Likes
2 REPLIES 2

PeterMS
L1 Bithead

‎11-01-2023 01:36 PM

Hi RandyMeng,

 

we also see these kind of logins.

The Source User "cole" is not a real user. Right?

The "attacker" may also use real login names. That is, because you maybe use the URL "vpn.abcde.com" and the attacker find some abcde.com email addresses on Linkedin or your website.

 

The world strongly recommends to activate MFA for any kind of logins!

You can also use HIP profiles (if GlobalProtect license is active) or certificates to protect you from credential theft.

 

Double check your geo blocking rule.

  • Run this block rule as the first policy (or after first one or two default rules)
  • Select all allowed regions as Source Address and then negate (checkbox below) the selection.
    Don't forget to add your internal networks!

 

Hope this helps.

 

Regards,

Peter

 

 

RandyMeng
L1 Bithead
In response to PeterMS

‎11-01-2023 03:47 PM

Correct, Cole is not a real user, I think they're just brute force and throwing mud on the wall. It'd be nice to block even the attempts all together, hence the geo-block policy.

RaNsUm
0 Likes Likes
  • 1120 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks