Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Suspicious VPN log in attempts - do you guys also get this?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Suspicious VPN log in attempts - do you guys also get this?

L1 Bithead

We don't have users in Switzerland / Netherlands, but I can see consistent log in attempts from the GlobalProtect logs.

 

I know the true locations is masked, but this is a persistent thing, wondering if you guys also get this?

 

I've geo-blocked suspicious regions already, but these log ins still visible, maybe my policy is not working right.

 

Probably implement MFA for GlobalProtect as well.

 

RandyMeng_0-1698866278406.png

RaNsUm
2 REPLIES 2

L1 Bithead

Hi RandyMeng,

 

we also see these kind of logins.

The Source User "cole" is not a real user. Right?

The "attacker" may also use real login names. That is, because you maybe use the URL "vpn.abcde.com" and the attacker find some abcde.com email addresses on Linkedin or your website.

 

The world strongly recommends to activate MFA for any kind of logins!

You can also use HIP profiles (if GlobalProtect license is active) or certificates to protect you from credential theft.

 

Double check your geo blocking rule.

  • Run this block rule as the first policy (or after first one or two default rules)
  • Select all allowed regions as Source Address and then negate (checkbox below) the selection.
    Don't forget to add your internal networks!

 

Hope this helps.

 

Regards,

Peter

 

 

Correct, Cole is not a real user, I think they're just brute force and throwing mud on the wall. It'd be nice to block even the attempts all together, hence the geo-block policy.

RaNsUm
  • 1120 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!