Detecting Brute Force Attack on GlobalProtect Portal Page

These steps will help you identify excessive login attempts in GlobalProtect. The default setting is 10 attempts within 60 seconds, which can be modified.

• This signature is a combination of a parent and child signature, both related to brute force attempts. The parent signature (threat ID 40017) is triggered only when the child signature (threat ID 32256) is hit several times within a defined period.
• The parent signature (threat ID 40017) is rated as medium severity and triggers an alert. This signature indicates that a brute-force attempt to log in to the Palo Alto Networks SSL VPN through repeated HTTP authentication requests has been detected.
• The detection of login attempts to the Palo Alto Networks firewall VPN or GlobalProtect service is performed regardless of the result, by counting the number of login attempts detected by the child signature (threat ID 32256).
• By default, the parent signature (threat ID 40017) will only trigger after 10 login attempts from the same source to the same destination are detected within 60 seconds. This setting can be modified.

• Go to Object > Security Profiles > Vulnerability Protection.
• In that profile, search for the vulnerability ID 40017 in the search bar and check the enable box.
• Click the "Edit" icon under the Threat Name column to open the Edit Time Attribute dialog. Adjust the number of instances detected from the child signature that is being triggered and adjust the time window to trigger the defined action. 

• You can set the action as Block IP with a specific block time. The action can be taken based on the "IP source" or "IP source and destination".

• Create a security policy to apply this profile.
• While creating a security policy:
  •  Add the IP address of the portal under Destination Address.
  •  Select the vulnerability profile created above.

• You can verify by the follow these steps.
• This is how the GlobalProtect Portal page appears when users try to authenticate for the first time: 

• Log into the portal using random user names and passwords. The firewall processes incorrect login attempts for the first 9 times. The following screenshot shows the GlobalProtect Portal page during the 9 unsuccessful attempts within 60 seconds:
  
• After the 9th unsuccessful attempt, the user will not be authenticated even with the correct credentials. The GlobalProtect Portal appears as follows after the 9th unsuccessful attempt:

• Brute Force Authentication Attempt is identified as the vulnerability threat. This can be seen in the threat logs. Go to Monitor > Logs > Threat.

• If Block ip action was configured, check the block-table on the CLI with command:
  

debug dataplane show dos block-table

• New sessions are set to DISCARD with a tracker stage firewall "mitigation block ip" and end-reason "threat"

• Global counters show drop counts under the name "flow_dos_drop_ip_blocked", and description "Packets dropped: Flagged for blocking and under block duration by other modules".

See Also:

How to Protect GlobalProtect Portal on NGFW from Brute Force Attack

Brute Force Signature and Related Trigger Conditions