Just stood up our GP and I am seeing a lot of unwanted traffic reach our VPN interface I.P address. Is this normal and also what are way to protect your VPN interface besides Authentication for the actual connection to the VPN?
Limit the interface to only the Apps globalprotect needs to function. Afterwards, limit connectivity by policy as strictly as possible. If you only need to allow employees in the US to connect, allow only US. The tighter you can limit this, the less drive-by traffic you’re going to get. Also ensure you have proper security profiles applied to the policies so that threat prevention can do its job.
By default, traffic is allowed to the GP portals and gateways by the default Intrazone rule. If you don’t have a “cleanup” rule at the end of your security policy (I will leave that discussion as a separate issue).
You can write an explicit rule to allow traffic to the GP resources. Then you can apply a Threat Prevention Policy.
I have toyed around with using Inbound SSL decryption on the portal. That would help with block holing the bots hitting the portal page. I may try that in dev… It is funny to use the decrypt policy to decrypt traffic to the firewall that is already decrypting the traffic.
good stuff in this thread… Geo first, then find some EDL for blocking known bad IP’s/ (palo has a couple), also make sure to enable the GP Brute force Signature - Detecting Brute Force Attack on GlobalProtect Portal Page.
Use ZPP on all interfaces especially the external, (we stop a lot of scanners and syn floods here) have to play with the settings. Also make sure to enable packet buffer protection on all firewalls and interfaces.
In addition to some of the suggestions here, my team and I have opted to start suggesting breaking out GlobalProtect from the edge firewall and put them on dedicated VMs as GlobalProtect concentrators in a DMZ with two interfaces into the edge firewall (assuming VM infrastructure is available). In light of the GP zero-day, there’s no point in having a major security appliance be exposed to the internet and be vulnerable to having the entire running-config exfiltrated. If the VM(s) get popped, then its not as big of a concern as having the edge firewall (which for some customers is their core router as well for east-west) being popped.
You only need VM credits and maybe GlobalProtect license (if you want to do HIP checks), and all other security can be done by your firewall.
It at least reduces the threat footprint.
Block tor and setup threat feeds to auto update blacklisted ip addresses. Use GEO IP blocking. Even then you will still see of bad logins but it will cut way down.
We use machine certificate auth to stop the brute force attempts.
My rule to permit traffic to GP is limited to only the necessary apps. I have all critical and high Threat signatures (vulnerability, AntiSpyware, AntiVirus, etc.) blocked on it as well. In a rule before my GP rule I am blocking all EDLs to GP. and in another rule above that I am blocking traffic from all countries but my own, since there is no foreign access permitted anyway. This limits the attack surface quite a bit. At the end of the day, unless you know all the specific source IPs of anyone that could want to connect to GP, and you are not going to let them connect from Hotels, Coffee shops, etc., there is only so much you can do.
Zone protection profiles for sure, can be set quite aggressively.
Also consider blocking traffic from cloud providers using an EDL (why would a cloud provider need to see your GP portal)
This is all really good information, thank you!!
Do you need SSL decryption? The firewall already has the private key for your VPN.
The portal is already decrypted automatically if you see the flag because the firewall has the certificate
I have a EDL Allow list on the GP traffic, this helps a lot.
I built my own EDL for this https://iserv.nl/files/edl/feed.php