Unknown SAML Login attempts failing on GlobalProtect Portal instead of SAML IdP

• GlobalProtect Dashboard logs show brute force attacks from different malicious IPs, displaying as SAML authentication attempts towards GlobalProtect Portal/Gateway.
• The system logs show the attacker is redirected to the IdP for authentication and fails with Reason: Internal error, e.g. network connection, DNS failure or remote server down.
• The authd.log file also show that the user is redirected and fails the authentication afterward with same error.

> less mp-log authd.log
.....
debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1859): Authenticating user "it" with 
debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for -SAML-AuthProfile-vsys1
Error:  _authenticate_with_remote_server(pan_auth_state_engine.c:705): Failed to get server ids for it (prof/vsys: -SAML-AuthProfile/vsys1)
Error:  _begin_auth(pan_auth_state_engine.c:1934): sending request for user "it" to server
failed authentication for user 'it'.  Reason: Internal error, e.g. network connection, DNS failure or remote server down. auth profile '-SAML-AuthProfile', vsys 'vsys1', From: 192.168.4.1.
debug: _log_auth_respone(pan_auth_server.c:273): Sent PAN_AUTH_FAILURE auth response for user 'it' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 7270679058537519963)

• From the IdP, we don't see any attempts on the SAML logs as we normally should see for SAML failing attempts.

• Palo Alto Firewalls
• Supported PAN-OS
• GlobalProtect Portal/Gateway
• GlobalProtect (GP) App
• SAML Authentication

• Due to brute force attack, an HTTP POST request for login.esp is seen instead of GET.
• Now the SAML Auth request from authd is ignored by the sslvpn/gpsvc and does not redirect the client to IdP.

1. This is expected in the above scenario.
2. To minimize brute force attacks, Refer to How to Protect GlobalProtect Portal on NGFW from Brute Force Attack.

Detecting Brute Force Attack on GlobalProtect Portal Page.