How to Protect GlobalProtect Portal on NGFW from Brute Force Attack

The article provides highlights on how to configure the Next Gen Firewalls to protect GlobalProtect Portal against Brute Force Attacks.

• Palo Alto NGFW firewalls
• Supported PAN-OS
• GlobalProtect (GP)

Configure the Firewall with the following. Please remind that those configurations may need time and planning, and it is recommended to open a maintenance window to make any changes or to test it. 
It is not necessary to implement all configurations, but the ones that suit better for the organization.

• All users to be logged in with 2 Factor Authentication.
  • Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications
  • Define the GlobalProtect Client Authentication Configurations

• Setup a brute force IP blacklisting policy.

• Use Geolocation, Allow only region specific IP sources by a Security Policy.

• Configure Palo Alto Networks' EDLs in a block policy.

• Utilize GlobalProtect Brute Force signatures below.
  • UTID 40017 - Detecting Brute Force Attack on GlobalProtect Portal Page
  • UTID 40169 - Detecting GlobalProtect Portal/Gateway Failed Logon Attempts
  • Brute Force Signature and Related Trigger Conditions
  • Since the default action of the signatures is "alert", you would want to customize the trigger and action conditions, i.e. action "block ip" - Customize the Action and Trigger Conditions for a Brute Force Signature
  • Change the action from "allow" to "alert" for the child signatures 32256 (parent signature UTID 40017) and 96010 (parent signature UTID 40169), to have more visibility. Please change this action only for troubleshooting purposes. Change it back to "allow" when troubleshooting is completed.
    Go back to the threat logs and look for the child signatures.  This will give you the amount of traffic that matches the pattern, and it can be used to tweak the threshold under the parent signatures, 40017 or 40169.

• Disable the portal login page.
  • How to disable the GlobalProtect Portal login page
  • How to disable GlobalProtect portal login page from a web-browser for Prisma Access managed by Strata Cloud Manager
  • For example, UTID 40017 child signature 32256 is looking for either "POST /ssl-vpn/login.esp" or "POST /global-protect/login.esp" or "POST /global-protect/getconfig.esp" in the http URI GET header.  This indicates a login attempt.
    When the threat logs show login.esp under File Name column, the customer can disable Global Portal login page to stop seeing the fake login attempts in the Global Protect logs.
    If the customer sees getconfig.esp under File Name column under the threat logs, then disabling the Global Protect login page may not help.

• In the GP Policy, add the following App-IDs: "panos-global-protect" ; "ssl" ; "web-browing" and "paloalto-gp-mfa-notification" (if the customer uses 2 Factor Authentication).

• routed.log can be useful to follow the GlobalProtect authentication process or the path on how a user is authenticated.

• Use the allow list under the Advance Tab in the Authentication Profile used in GlobalProtect. Add groups to the allow list. The groups are fed using the User-ID feature. This can help filter valid users to be allowed on the customer's remote server.

See Also: GlobalProtect Login Fails When Using a Group in the Allow List

• Implement URL Filters:

1. 1. Apply a URL Filtering profile to a security policy for the SSL access that blocks attempts not using the FQDN for the Portal.
   2. Create a custom URL category list with "vpnportal.yourdomain.com/", "vpngw.yourdomain.com", "x.x.x.x/ssl-vpn/hipreportcheck.esp", "x.x.x.x/ssl-vpn/hipreport.esp", "x.x.x.x/ssl-vpn/agentmessage.esp"
      NOTE: Replace x.x.x.x with the GP Gateway's IP Address
   3. Split your GlobalProtect security policy rule into two rules. One to handle app-ids "panos-global-protect", "ssl", and "web-browsing". The other policy is for IPsec and ICMP (if these are needed)
   4. For the SSL security policy, add the URL Filtering Profile that was created. After applying this,  Users will only be able to connect to the VPN with the FQDN.

• Use SAML:

1. 1. Geo block at the security policy layer in addition to the config selection criteria if not already.
   2. Set your 1st rule to drop geo IP and known malicious IPs, then put them in the GP config rule to only allow specific regions.