Detecting GlobalProtect Portal/Gateway Failed Logon Attempts

Detecting GlobalProtect Portal/Gateway Failed Logon Attempts

6963
Created On 03/18/25 17:48 PM - Last Modified 08/19/25 15:11 PM


Question


What brute force signature should be leveraged if the concern is only to track failed login attempts in Global Protect  (e.g. Credential Stuffing) ?

 

Environment


  • PAN-OS
  • Global Protect
  • Vulnerability Protection

Answer


To track failed logon attempts only in Global Protect, the brute force signature to leverage is 40169.

  • Threat ID : 40169
  • Severity : Medium
  • Default Action : Alert
  • Description : This signature triggers when the child signature, ID 96010 (Palo Alto Networks GlobalProtect Authentication Failure Detection), is triggered 60 times in 5 seconds. Customers can adjust the timing of brute force signatures if the parent signatures trigger too often. Refer to Palo Alto Networks documentation to learn more about brute force signatures and customizing the action and trigger conditions for a brute force signature. 
    • Child Signature 
      • Threat ID : 96010
      • Severity : informational 
      • Default Action : allow

    Customers to adjust threshold and use signatures depending on their concern by following steps similar of the article in the "Additional Information" section.

    Additional Information


    Detecting Brute Force Attack on GlobalProtect Portal Page 

     
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000PRMqCAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail