Brute force attacks seen on Prisma Access portal from specific source malicious IP's

Brute force attacks seen on Prisma Access portal from specific source malicious IP's

7508
Created On 06/17/24 06:54 AM - Last Modified 02/06/25 01:28 AM


Symptom


  • The Prisma Access portal is open for connection from anywhere over internet by default.
  • There are scenarios where the Prisma Access portal might get brute force attacks on the portal from known malicious IP's. 
  • The globalprotect type logs show multiple failed login attempts to the Prisma Access portal. 
  • A custom rule created to block known malicious IP's does not help since the initial traffic is handled by pre-defined rules which allow portal access for authentication process.

Environment


  • Prisma Access
  • Brute force Attack

Cause


  • A brute force attack uses a large volume of requests/responses from the same source or destination IP address to break into a system. The attacker employs a trial-and-error method to guess the response to a challenge or a request.
  • The malicious actor can identify the Prisma Access portal IP and that it responds to HTTPS request and attempt these requests.

Resolution


  1. Use the Prisma Access Embargo rules to create rules and add your source malicious IP list to block those connections.
  2. From above document, instead of adding a source country or region, Add source IP list or an EDL.
  3. Alternatively, Add the pre-defined EDL (External dynamic lists) to block connection attempts from known malicious IP's.
  4. The Embargo rules are placed at the top of security rule stack thus mitigating the connection attempts from malicious IP's. 
  5. Another alternative approach is to disable the GlobalProtect Portal login page (Applicable only to Prisma Access managed by Panorama)
    • This approach does not impact the GlobalProtect client connections but returns 404 response for browser login page. 
    • The clientless VPN will stop working if portal login page is disabled. If the clientless VPN is not being used, this can also be done to mitigate the brute force attempts.
    • As a workaround, in SCM-managed Prisma access, a custom GP Portal Login Page without login prompts in the script (or a blank HTML file) can be used to disable it. However, it will not work for SAML authentication, as SAML redirects to the IDP providers' page to log in.
    • Another workaround for SCM-managed Prisma Access is to use these steps to achieve the same state (Disable Global protect portal login page from Web-Browser) which requires a config change. 

Additional Information


  • As a best practice, Use second factor authentication to reduce the attack surface. (If using LDAP or Radius for authenticating the users), 
  • For example, If auth method is LDAP and SAML cannot be used, add a certificate profile in the authentication profile so the clients require both credentials and certificates for authentication.
  • Authentication can be broken into separate profiles. For example, Browser based authentication only can be redirected to SAML and Windows and Mac based authentication can be continued over LDAP with certificate as a second factor. 
  • Alternatively, Use SAML authentication so each login attempt is redirected to IDP (Identify provider) which will further deter the malicious actor as they would likely not have the usual second factor required by most of the IDP's. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000010z7SCAQ&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language