How to Protect GlobalProtect Portal on NGFW from Brute Force Attack
1548
Created On 07/11/24 19:41 PM - Last Modified 07/12/24 20:11 PM
Objective
The article provides highlights on how to configure policy to protect against Brute Force Attack on Next Gen Firewalls.
Environment
- Palo Alto NGFW firewalls
- Supported PAN-OS
- GlobalProtect (GP) Portal)
Procedure
Configure the Firewall with the following.
- All users to be logged in with 2 Factor Authentication.
- Setup a brute force IP blacklisting policy.
- Use Geolocation, Allow only region specific IP sources.
- Disable the portal login page.
- Configure Palo Alto's EDLs in a block policy.
If the end user is still getting many failed logins from some bad actors on the Global Protect Portal then take these additional steps to avoid Brute Force attacks:
Implement URL Filters:
- Apply a URL Filtering profile to a security policy for the SSL access that blocks attempts not using the FQDN for the Portal.
- Create a custom URL category list with "vpnportal.yourdomain.com/", "vpngw.yourdomain.com", "x.x.x.x/ssl-vpn/hipreportcheck.esp", "x.x.x.x/ssl-vpn/hipreport.esp", "x.x.x.x/ssl-vpn/agentmessage.esp"
- Split your GlobalProtect security policy rule into two rules. One to handle app-ids "palos-global-protect", "ssl", and "web-browsing". The other policy is for IPsec and ICMP (if these are needed)
- For the SSL security policy, add the URL Filtering Profile that was created. After applying this, Users will only be able to connect to the VPN with the FQDN.
- Geo block at the security policy layer in addition to the config selection criteria if not already.
- Set your 1st rule to drop geo IP and known malicious IPs, then put them in the GP config rule to only allow specific regions.