This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Threats on port 80 for globalprotect external interface?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Threats on port 80 for globalprotect external interface?

CRDF18
L2 Linker

‎10-04-2019 06:35 AM

We have been getting more and more threat alerts for our outside interface, that hosts our GlobalProtect portal/gateway, and in every alert its because the destination port is 80.

 

Ive checked and if you browse to our portal on http it redirects to the https page, also it appears we don't specifically have a rule allowing or denying port 80/http.

 

One idea i have, is putting a security rule in to allow SSL and panos-global-protect applications for anyone external going to our outside interface, then following it up with a deny any rule underneath it to stop port 80 (and anything else). My concerns by doing this is may kill our VPN....

 

I was wondering how do others deal the threat alerts on their outside interface for port 80?

 

Thanks

0 Likes Likes
7 REPLIES 7

OtakarKlier
Cyber Elite
Cyber Elite

‎10-04-2019 11:18 AM

Hello,

Have you setup Zone Protection profiles yet? I would say these are your first step in a line of defense. Also anything external is going to get probed constantly. With the zone protection profiles you can automatically block certain IP's based on their threats.

 

https://docs.paloaltonetworks.com/best-practices/8-1/dos-and-zone-protection-best-practices/dos-and-...

 

Regards,

0 Likes Likes

BruceBennett
L3 Networker

‎10-04-2019 11:35 AM

Does your rule allowing the connection to your gateway allow port 80 traffic. Since the outside interface is on the same zone as the gateway address, your default intrazone rule will allow it. My solution is only allowing ssl, panos-global-protect and panos-web-interface. (I think that panos-web-interface is for the portal, if you are using that same connection as the portal address.) Then a rule right below that to drop all traffic to that gateway address, not just port 80. This covers everything else that the Internet might be trying to do to your outside port.

I have to say, I am fairly new to the GP side, but that is what I have seen working well in my config so far.


Bruce.

Learn at least one new thing every day.
0 Likes Likes

CRDF18
L2 Linker
In response to OtakarKlier

‎10-07-2019 02:59 AM

it appears not! i will have a look at your link

0 Likes Likes

CRDF18
L2 Linker
In response to BruceBennett

‎10-07-2019 03:03 AM

Hi 

 

We dont specifically have a rule allowing or denying the gateway traffic so that was the confusing thing

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks