Our Palo Alto frequently (under Monitor > System) shows scans of event Auth-Fail with people trying random, or what appears to frequent brute force attempts to login to our VPN with logins that make no logical sense, but appears to be a random dictionary style attempt, with login names like team, terminal, sysadmin, boardroom, ricoh etc.
I understand this is expected behavior, and the nature of the internet. But I still see it as another layer of swiss cheese that needs to be plugged for good security.
I have a few questions which I am trying to understand and hoping this community could assist me with.
- Our VPN is SAML based, so I don’t understand how they are trying to login because if you go to our vpn address using the Global Protect client, it immediately redirects you back to our SAML provider. Is this attempt being done via some sort of SSH or other method of login attempt? They dont show up in our SAML system, because I assume it has not gone via the appropriate login pathway.
How are they making these connections, and can it be blocked so this open “connection” does not get allowed.
We do have country blocking in place to only restrict access to the region in which we travel.
- Does Palo not have some sort of Fail2Ban system where if the IP keeps logging and fails - that it can be blocked? These attempts are being made every 5-10mins.
Thanks.
Look at the Zone Protection feature. https:///?#network::vsys1::network/network-profiles/zone-protection
The Reconniassance Protection Tab has 3 protections ( TCP scan, Host Sweep, UDP scan ). By default these only generate alerts. You can configure them to block. I use 600 seconds and i am not sure what the maximum timer value is. This only works if they exceed the threshold of 100 events in 2 seconds, but these are the default values.
The other option is a Security Policy when accessing your GP public IP and a threat profile that blocks “Brute force” signatures. PAN has a preconfigured profile named “Strict”. It sends a “tcp reset” to server and host for any severity medium, or greater, threat detected.
Do you have your portal web enabled?
These are crafted payloads that do not interact with the GP web server in an expected manner/flow so they are blocked. They essentially are trying to bypass the authentication method by directly sending a HTTP POST message that mimics how a GP client would be sending credentials.
The PanOS side likely has some static error logging that it prints since this is overall not expected but being blocked locally on the PAN. You should be able to see information on the interaction of the malicious IP from CLI “less webserver-log sslvpn_access.log” and filter for the malicious IPs to see what kind of messaging the webserver handled. The log also dumps the HTTP code the firewall gave, likely a 500 for this kind of interaction if I recall
Thank you that is helpful. I will investigate that. I assume though that Zone Protection will not work (or not as effective) if the scan attempts are spread over 6-7 minutes apart?
Perhaps then use the Security Policy?
Thank you that is very helpful!
Yes we do, I think primarily to download the VPN client/software. Is it best practice to disable it?
Thank you, this is interesting how they are sending these HTTP POST messages. I did not know that. Can the PanOS be configured to Deny/Block these attempts?
As I dont use the CLI, rather the GUI, I can certainly find the logs showing the IP Addresses and source, but wanted to know more around if I can do some sort of blocking where its repeated attempts are stopped or a lookup of the IP Address to determine the user and then block it. u/Electronic_Beyond833 did give me some suggestions here so I will also see if that will work.
I agree. You may want to do a packet capture for several minutes to see what interval they use. Since most shops are not looking at things like this, hackers often run these attempts at full speed to save time.
Did this help you with the block SAML Auth VPN login attempts? I am seeing the same thing. A lot of random names being entered.
In my experience, a login is not required to access the GP agent download page. You can simply browse directly to https://<GP_ADDRESS>/global-protect/getsoftwarepage.esp.
Disabling it will reduce your attacking surface. You could distribute the client in a different way.
Those mentioned should help, I think in this situation I might also look at the secondary step of auto tagging to dynamically register the GP log event or capture the IP on brute force threat log creation and apply these to a dos protection policy or security policy
YouTube example tutorial for threat
Essentially goal here is once the threat log is triggered, the firewall tags the IP based on your log forwarding profile log filter and then applies your tag set in the built in actions, along with extracting the information you specified as part of the action. This tag can be placed into policies to dynamically update the IPs associated to the policy specific to this event. You’ll probably want to do some analysis on how the malicious behavior is logged
This should also reduce CPU cycles that are consumed unnecessarily since the firewall is going through several stages of processing before triggering the threat event. Instead of having to perform all the aforementioned tasks to get to the threat verdict, once a threat verdict is triggered by that IP you can have it blocked at a very early stage in policy lookup process that avoids app inspection/content inspection.
If your interested, good read about how packet processing happens on PANs Packet Flow Sequence in PAN-OS
No we ended up disabling the HTTP portal, since no one ever used it.
This is good as the IPS blocks are only for 3600 second max
Gotcha. Can you share how you configure the security policy, please?
