Palo Alto Networks Knowledgebase: Blocking Brute Force Attack on GlobalProtect Portal Page
Blocking Brute Force Attack on GlobalProtect Portal Page
Created On 09/25/18 17:42 PM - Last Updated 09/25/18 23:11 PM
This document describes the steps to configure a security policy to block brute force attacks on the GlobalProtect Portal page.
Create a vulnerability profile. Go Object > Security Profiles > Vulnerability Protection.
Click the "Edit" Icon under the Threat Name column to open the Edit Time Attribute dialog. Adjust the number of instances detected from the child signature that is being triggered and adjust the time window to trigger the defined action. The child signature "Palo Alto Networks Firewall VPN Login Authentication Attempt" with ID 32256 is looking for "x-private-pan-sslvpn: auth-failed" from the http response header. The default is 10 hits within a 60-second time window. The screenshot below shows an example of a configured vulnerability profile. When creating the profile, search for the vulnerability ID 40017 in the search bar and check the enable box.
Set the action to block-ip. With this option a block time can be configured and tracked by IP source or source and destination.
Create a security policy to apply this profile.
While creating a security policy, add the IP address of the portal under Destination Address and select the vulnerability profile created in step 1 above.
Follow these steps to test if it is working.
This is how the GlobalProtect Portal page appears when users try to authenticate for the first time:
Log into the portal using random user names and passwords. The firewall processes incorrect login attempts for the first 9 times. The following screenshot shows the GlobalProtect Portal page during the 9 unsuccessful attempts:
After the 9th unsuccessful attempt, the user will not be authenticated even with the correct credentials. The GlobalProtect Portal appears as follows after the 9th unsuccessful attempt:
Brute Force Authentication Attempt is identified as the vulnerability threat. This can be seen in the threat logs. Go to Monitor > Logs > Threat.
If block-ip action was configured, check the block-list on the CLI with command: debug dataplane show dos block-table
New sessions are set to DISCARD with a tracker stage firewall "mitigation block ip" and end-reason "threat".
Global counters show drop counts under the name "flow_dos_drop_ip_blocked", and description "Packets dropped: Flagged for blocking and under block duration by other modules".