Blocking Brute Force Attack on GlobalProtect Portal Page

Blocking Brute Force Attack on GlobalProtect Portal Page

Created On 09/25/18 17:42 PM - Last Modified 05/14/20 20:29 PM

This document describes the steps to configure a security policy to block brute force attacks on the GlobalProtect Portal page.

  • Pan-OS
  • Globalprotect
  • Vulnerability Protection



  1. Create a vulnerability profile. Go Object > Security Profiles > Vulnerability Protection.
  2. Click the "Edit" Icon under the Threat Name column to open the Edit Time Attribute dialog.
    Adjust the number of instances detected from the child signature that is being triggered and adjust the time window to trigger the defined action. The child signature "Palo Alto Networks Firewall VPN Login Authentication Attempt" with ID 32256 is looking for "x-private-pan-sslvpn: auth-failed" from the http response header. The default is 10 hits within a 60-second time window. The screenshot below shows an example of a configured vulnerability profile. When creating the profile, search for the vulnerability ID 40017 in the search bar and check the enable box.
    User-added image
  3. Set the action to block-ip. With this option a block time can be configured and tracked by IP source or source and destination.
    User-added image
  4. Create a security policy to apply this profile.
  5. While creating a security policy, add the IP address of the portal under Destination Address and select the vulnerability profile created in step 1 above.

User-added image

Follow these steps to test if it is working.

  1. This is how the GlobalProtect Portal page appears when users try to authenticate for the first time:
    User-added image
  2. Log into the portal using random user names and passwords. The firewall processes incorrect login attempts for the first 9 times. The following screenshot shows the GlobalProtect Portal page during the 9 unsuccessful attempts:
    User-added image
  3. After the 9th unsuccessful attempt, the user will not be authenticated even with the correct credentials. The GlobalProtect Portal appears as follows after the 9th unsuccessful attempt:
    User-added image
    Brute Force Authentication Attempt is identified as the vulnerability threat. This can be seen in the threat logs. Go to Monitor > Logs > Threat.
    User-added image
  4. If block-ip action was configured, check the block-list on the CLI with command:
    debug dataplane show dos block-table
    Screen Shot 2015-01-15 at 5.05.53 PM.png


New sessions are set to DISCARD with a tracker stage firewall "mitigation block ip" and end-reason "threat".

Screen Shot 2015-01-13 at 5.05.30 PM.png

Global counters show drop counts under the name "flow_dos_drop_ip_blocked", and description "Packets dropped: Flagged for blocking and under block duration by other modules".

Screen Shot 2015-01-13 at 5.06.01 PM.png


owner: schaganti

  • Print
  • Copy Link

Choose Language