We have been getting more and more threat alerts for our outside interface, that hosts our GlobalProtect portal/gateway, and in every alert its because the destination port is 80.
Ive checked and if you browse to our portal on http it redirects to the https page, also it appears we don't specifically have a rule allowing or denying port 80/http.
One idea i have, is putting a security rule in to allow SSL and panos-global-protect applications for anyone external going to our outside interface, then following it up with a deny any rule underneath it to stop port 80 (and anything else). My concerns by doing this is may kill our VPN....
I was wondering how do others deal the threat alerts on their outside interface for port 80?
Have you setup Zone Protection profiles yet? I would say these are your first step in a line of defense. Also anything external is going to get probed constantly. With the zone protection profiles you can automatically block certain IP's based on their threats.
Does your rule allowing the connection to your gateway allow port 80 traffic. Since the outside interface is on the same zone as the gateway address, your default intrazone rule will allow it. My solution is only allowing ssl, panos-global-protect and panos-web-interface. (I think that panos-web-interface is for the portal, if you are using that same connection as the portal address.) Then a rule right below that to drop all traffic to that gateway address, not just port 80. This covers everything else that the Internet might be trying to do to your outside port.
I have to say, I am fairly new to the GP side, but that is what I have seen working well in my config so far.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!