10-04-2019 06:35 AM
We have been getting more and more threat alerts for our outside interface, that hosts our GlobalProtect portal/gateway, and in every alert its because the destination port is 80.
Ive checked and if you browse to our portal on http it redirects to the https page, also it appears we don't specifically have a rule allowing or denying port 80/http.
One idea i have, is putting a security rule in to allow SSL and panos-global-protect applications for anyone external going to our outside interface, then following it up with a deny any rule underneath it to stop port 80 (and anything else). My concerns by doing this is may kill our VPN....
I was wondering how do others deal the threat alerts on their outside interface for port 80?
10-07-2019 02:29 PM
@CRDF18 That initially got me too. After looking at the logs and seeing that the traffic accessing the gateway was in the same zone, I went in and created the intrazone rule to block everything other than the specific applications needed, including removing ping access to the gateway. That cut down on a lot of probing traffic. I still think that there are benefits to the Zone Protection Profiles, because you are still open to the Internet, but at least the basic "probe and test" traffic is gone. Next step for me is the Zone Protection Profiles, those take a bit more work to get setup correctly.
10-08-2019 02:47 AM
I think i will have to do the something similar. I need to apply zone protection profile and also create one allow intrazone rule with the likes of panos applications but also with other applications such as ipsec-esp-udp for our VPN tunnels and then follow it up with a deny rule
10-22-2019 06:16 AM
The zone protection profile didnt do much and the 2 rules i put in to allow approved applications (panos-web-interface, panos-global-protect etc) then a deny rule just under the allow rule for applications like ping, telnet and web-browsing.
It seemed like this may have increased the amount of alerts i was getting, so today i disabled the allow rule and then created a separate rule, under the deny applications rule, to deny any application but only for port 80, this was because in our threat logs the alerts for outside to outside were for port 80 but it was saying the incomplete application.
I have tested VPN gateway and portal access and all seems to be OK, so i will give it a few days to see if it has cut down on the alerts/attempts. Ive already seen a lot of things being blocked thanks to the deny on port 80 so i am feeling confident on this.
Thanks for your help
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!