cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

Use Auto-Tagging to block failed Global Protect login attempts

L1 Bithead

hi,

we use SAML for our Global Protect Portal and Gateway Authentication, so all logins are automatically forwarded to our IdP and are being processed there.

But for whatever reason we sometimes face Brute Force attacks on our portal, where all kinds of generic users are being tried to authenticate against the Portal:

1.png

for my understanding this login attempts will never be sucessful, as its not even forwarded to our IdP.

I guess it's a curl that is doing these login attempts.

but however, I take failed logins serious and have a Policy that blocks all traffic from these source IPs.

This list already got very long and I want to avoid doing this in a manual way.

I found there is a way of using auto-tags for automated security actions:
Use Auto-Tagging to Automate Security Actions (paloaltonetworks.com)

unfortunately this manual explains it very well for Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, where rules work perfectly, but my required Global Protect Logs are only mentioned to be configured at Device - Log settings, where I can not configure a build-in Action, like automatic Tagging.

So I wonder how I can automate my policy with the mentioned Global Protect Logs?

Who Me Too'd this topic