top of page
Search

Brute force attacks seen on Prisma Access portal from specific source malicious IP's

Jan 292 min read

Updated: 8 hours ago


To mitigate brute force attacks on your Prisma Access portal, follow this structured approach:

Step-by-Step Solution

  1. Implement Embargo Rules with EDLs

    • Why: Embargo rules are prioritized at the top of the security rule stack, blocking malicious IPs before pre-defined allow rules.

    • How:

      • Navigate to Prisma Access Configuration → Security → Embargo Rules.

      • Create a new rule:

        • Source: Add an External Dynamic List (EDL) of known malicious IPs (e.g., Palo Alto’s predefined EDL or a custom list).

        • Destination: Set to any or restrict to your Prisma Access portal IP.

        • Action: Block.

      • Ensure the rule is placed above pre-defined portal access rules.


  2. Disable GlobalProtect Portal Login Page (If Clientless VPN is Unused)

    • Panorama-Managed Prisma Access:

      • Go to GlobalProtect → Portals → [Your Portal] → Agent → Config.

      • Uncheck Enable Browser-Based Authentication.

    • SCM-Managed Prisma Access:

      • Upload a blank/custom HTML file as the login page (no authentication prompts).

    • Note: This stops browser-based logins but does not affect SAML redirects to IDPs.


  3. Enforce Multi-Factor Authentication (MFA)

    • For LDAP/Radius:

      • Create an Authentication Profile requiring both credentials and certificates.

      • Assign this profile to GlobalProtect.

    • For SAML:

      • Redirect authentication to an Identity Provider (IdP) with built-in MFA (e.g., Azure AD, Okta).

  4. Monitor and Refine

    • Check GlobalProtect logs for blocked IPs (filter by action=deny).

    • Regularly update EDLs to include new malicious IPs.

Key Considerations

  • Rule Order: Ensure Embargo rules are at the top of the security rule hierarchy.

  • Clientless VPN Impact: Disabling the portal login breaks clientless VPN—only proceed if unused.

  • SAML Compatibility: Disabling the portal login does not affect SAML flows (authentication occurs at the IdP).

Example Configuration

Embargo Rule

Source

Destination

Action

Block Malicious IPs

EDL: paloalto-malicious-ips

Prisma Portal IP

Deny


Benefits

  • Immediate Blocking: Embargo rules prevent malicious IPs from reaching authentication.

  • Reduced Attack Surface: MFA and portal login removal add layers of defense.

  • Dynamic Updates: EDLs automatically refresh to block emerging threats.

By prioritizing Embargo rules, disabling unnecessary access points, and enforcing MFA, you significantly reduce exposure to brute force attacks.


Tags:

 
 
 

TAgs

Categorys

bottom of page