This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who rated this post

Fluck
L1 Bithead

‎09-02-2024 09:10 AM - edited ‎09-02-2024 09:16 AM

hey,

I totally agree with all points of TomYoung. He is completely right, but that doesn't work in our case, as we have employees all over the world with always changing public IP addresses, so a whitelisting or country blocking won't work for us.

But of course we already set up the PAN-OS EDLs and we also only allowed the applications on our Policy Rules.

 

Anyways, I found a solution, that is not the nicest but works for massive brute force attacks.

1. you need to create a new Tag, I called it blocked-ips in my case. I also colored it red

2. create a vulnerability protection profile (or use one you already have), add at Exceptions the ID 40017

I used as Actions Block IP for 600 seconds. (only Source):

Fluck_0-1725292342591.png

Fluck_4-1725293057618.png

 

3. attach that profile to your Global Protect inbound Rule.
I have one for the Portal and one for the Gateway and attached it to both.

 

you can not use auto-tagging for failed Global Protect events, but you can create a log forwarding profile, once this vulnerability protection rule is triggered.

4.

Fluck_1-1725292674079.png

(don't worry about the censored filter, we just have an exception for our company Public IPs, that these don't get blocked)

as Action tag the source IP with the Tag you created earlier:

Fluck_2-1725292736284.png

5. now all you need to do is create a dynamic address group, that matches the tag:

Fluck_3-1725292805023.png

 

6. now create a new Policy Rule and block all traffic, coming from this dynamic group.

Be aware: if you don't attach the dynamic group to a policy rule, it won't get filled even when the event is triggered, it cost me alot of time to find that out.

 

and please also be aware that the event 40017 is also triggered on successful logins, so choose your Time Attributes in the vulnerability protection profile wisely. We choose 9 failed logons, as each login costs us 2 triggered events (portal + gateway), we can login 4 times without being blocked within 900 seconds. 5 Logins even when successful and the user is blocked until unblocked manually.

 

you can unblock IPs on the dynamic address Group, if you click on more... at addresses:

Fluck_5-1725293257932.png

and then unregister tag:

Fluck_6-1725293331504.png

and then add the tag:

Fluck_7-1725293367258.png

that doesn't require a commit.

 

I hope I could help anyone, I'm personally not really happy with this solution, but better than nothing.

View solution in original post

1 person found this solution to be helpful.
(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks