09-10-2023 05:45 PM
Hi
We are deploying Prisma Access. Deployment is on progress. From the security logs we can see that we are hitting some brute force attacks. We are using Cloud managed Prisma Access. Not the Panaroma managed.
How do we configure the Management Access Policy? I want to whitelist our selective IP addresses. Ho do we do this in Prisma ?
Note: I have tried this Document but I cant find Trusted IP feature in my portal.
Trusted IP Addresses on Prisma Cloud (paloaltonetworks.com)
Thanks
09-11-2023 03:51 AM
yeah that article is for prisma cloud so won't apply to prisma access
I am wondering: you say you're seeing brute force in the traffic log, but you are using prisma access cloud managed, which lives on the palo alto HUB portal (which you can't see in your security logs because this portal is maintained by Palo Alto and not your tenant) can you clarify what you're seeing exactly?
are you seeing brute force attacks against your (GP) Portal/gateways maybe?
the attacks, are they coming from a certain country you would be able to block off? you could use an embargo rule to block everyone from there connecting to you : https://docs.paloaltonetworks.com/prisma-access/administration/prisma-access-advanced-deployments/bl...
next, are you using LDAP for authentication? you could switch to SAML which also offloads the authentication to your IdP, and can apply conditional access etc
Make sure to add an any any deny rule at the end of your security policy, and only create security rules for the access needed (always use zones, be as specific as possible).
hope this helps, feel free to post additional information if my reply was not helpful
09-11-2023 03:51 AM
yeah that article is for prisma cloud so won't apply to prisma access
I am wondering: you say you're seeing brute force in the traffic log, but you are using prisma access cloud managed, which lives on the palo alto HUB portal (which you can't see in your security logs because this portal is maintained by Palo Alto and not your tenant) can you clarify what you're seeing exactly?
are you seeing brute force attacks against your (GP) Portal/gateways maybe?
the attacks, are they coming from a certain country you would be able to block off? you could use an embargo rule to block everyone from there connecting to you : https://docs.paloaltonetworks.com/prisma-access/administration/prisma-access-advanced-deployments/bl...
next, are you using LDAP for authentication? you could switch to SAML which also offloads the authentication to your IdP, and can apply conditional access etc
Make sure to add an any any deny rule at the end of your security policy, and only create security rules for the access needed (always use zones, be as specific as possible).
hope this helps, feel free to post additional information if my reply was not helpful
09-11-2023 03:53 PM
Hi Reaper
Yes, Sorry my post was not clear in words. Yes, I was getting Brute Force in my Global Protect Portal as we are using Prisma Access. I have created Geo Block policy as you recommended.
We have SAML ,MFA. However , GEO Block Policy the best First layer of defense. And We created deny any any at the bottom before the default rules. Thanks for adding up those.
I often mixed up Prisma cloud and Prisma access !! Thanks again for pointing that out. Ha Ha.
09-24-2023 12:15 AM
Hi Ariq,
Are you still seeing those logs, I believe some of the logs you see in traffic logs are the gcp /aws ip running health check kinda stuff, just want to be sure you are not referring to those logs when you implemented GEO-Block Do you still see those logs?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
