@PC-TomS,
If you have the ability to feed the IPs in as an EDL this is easy enough with a custom report and the API. Something like this for the custom report:
<entry name="Failed_GP_Login">
<type>
<globalprotect>
<sortby>repeatcnt</sortby>
<aggregate-by>
<member>public_ip</member>
<member>srcuser</member>
</aggregate-by>
<values>
<member>repeatcnt</member>
</values>
</globalprotect>
</type>
<period>last-15-minutes</period>
<topn>5000</topn>
<topm>50</topm>
<caption>Failed_GP_Login</caption>
<query>( error eq 'Authentication failed: Invalid username or password' )</query>
</entry>
Then you can run the job via the API:
api?type=report&async=yes&reporttype=custom&reportname=Failed_GP_Login
# Runs the report and returns the job ID. If you convert the reponse to a dictionary the job would be at ['response']['result']['job']. Allow enough time for the job to run (60 seconds should be sufficient, varies by environment and platform).#
api?type=op&cmd=<show><report><id>' + str(job_id) + '</id></report></show>'
# Collect the report so that you can actually analyze it. Again you'll want to convert the response to a dictionary. I've included a better Python example here #
report_dict = xmltodict.parse(request_report.content) # Convert the response #
OrdDict = report_dict['response']['result']['report']['entry']
root = OrdDict
for element in root:
recorded_session = [(element['public_ip']),(element['srcuser']),(element['repeatcnt'])]
public_ip = recorded_session[0]
src_user = recorded_session[1]
repeat_count = recorded_session[2]
This is just a starting point, but what I've chosen to care about in particular is the three fields listed. I utilize a REDIS database to increment the failed login count for both the IP and the user. What this allows is to set a threshold for the number of failed logins we determine is acceptable before we block them; you could alternatively simply utilize a similar account to block any source which failed to login to GlobalProtect if you don't want to provide any sort of leeway.
Then you can just have the script update your EDL to block any of the sources that you don't care to have accessing resources and send any alerting that you would care to send to indicate that the address/user has been blocked.
... View more