how to configure/Restrict Prisma Management Access

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

how to configure/Restrict Prisma Management Access

L2 Linker

Hi

We are deploying Prisma Access. Deployment is on progress. From the security logs we can see that we are hitting some brute force attacks. We are using Cloud managed Prisma Access. Not the Panaroma managed. 

 

How do we configure the Management Access Policy? I want to whitelist our selective IP addresses. Ho do we do this in Prisma ? 

 

Note: I have tried this Document but I cant find Trusted IP feature in my portal. 
Trusted IP Addresses on Prisma Cloud (paloaltonetworks.com)

 

Thanks

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

yeah that article is for prisma cloud so won't apply to prisma access

 

 

I am wondering: you say you're seeing brute force in the traffic log, but you are using prisma access cloud managed, which lives on the palo alto HUB portal (which you can't see in your security logs because this portal is maintained by Palo Alto and not your tenant) can you clarify what you're seeing exactly?

 

are you seeing brute force attacks against your (GP) Portal/gateways maybe?

 

the attacks, are they coming from a certain country you would be able to block off? you could use an embargo rule to block everyone from there connecting to you : https://docs.paloaltonetworks.com/prisma-access/administration/prisma-access-advanced-deployments/bl...

 

next, are you using LDAP for authentication? you could switch to SAML which also offloads the authentication to your IdP, and can apply conditional access etc

 

Make sure to add an any any deny rule at the end of your security policy, and only create security rules for the access needed (always use zones, be as specific as possible). 

 

 

hope this helps, feel free to post additional information if my reply was not helpful 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

yeah that article is for prisma cloud so won't apply to prisma access

 

 

I am wondering: you say you're seeing brute force in the traffic log, but you are using prisma access cloud managed, which lives on the palo alto HUB portal (which you can't see in your security logs because this portal is maintained by Palo Alto and not your tenant) can you clarify what you're seeing exactly?

 

are you seeing brute force attacks against your (GP) Portal/gateways maybe?

 

the attacks, are they coming from a certain country you would be able to block off? you could use an embargo rule to block everyone from there connecting to you : https://docs.paloaltonetworks.com/prisma-access/administration/prisma-access-advanced-deployments/bl...

 

next, are you using LDAP for authentication? you could switch to SAML which also offloads the authentication to your IdP, and can apply conditional access etc

 

Make sure to add an any any deny rule at the end of your security policy, and only create security rules for the access needed (always use zones, be as specific as possible). 

 

 

hope this helps, feel free to post additional information if my reply was not helpful 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L2 Linker

Hi Reaper

Yes, Sorry my post was not clear in words. Yes, I was getting Brute Force in my Global Protect Portal as we are using Prisma Access. I have created Geo Block policy as you recommended.

 

We have SAML ,MFA. However , GEO Block Policy the best First layer of defense. And We created  deny any any at the bottom before the default rules. Thanks for adding up those. 

 

I often mixed up Prisma cloud and Prisma access !! Thanks again for pointing that out. Ha Ha. 

 

 

L2 Linker

Hi Ariq,
Are you still seeing those logs, I believe some of the logs you see in traffic logs are the gcp /aws ip running health check kinda stuff, just want to be sure you are not referring to those logs when you implemented GEO-Block Do you still see those logs?

  • 1 accepted solution
  • 3753 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!