To mitigate brute force attacks on your Prisma Access portal, follow this structured approach:

Step-by-Step Solution

1. Implement Embargo Rules with EDLs

   • Why: Embargo rules are prioritized at the top of the security rule stack, blocking malicious IPs before pre-defined allow rules.

   • How:

     • Navigate to Prisma Access Configuration → Security → Embargo Rules.

     • Create a new rule:

       • Source: Add an External Dynamic List (EDL) of known malicious IPs (e.g., Palo Alto’s predefined EDL or a custom list).

       • Destination: Set to any or restrict to your Prisma Access portal IP.

       • Action: Block.

     • Ensure the rule is placed above pre-defined portal access rules.
       

       

       
       

2. Disable GlobalProtect Portal Login Page (If Clientless VPN is Unused)

   • Panorama-Managed Prisma Access:

     • Go to GlobalProtect → Portals → [Your Portal] → Agent → Config.

     • Uncheck Enable Browser-Based Authentication.

   • SCM-Managed Prisma Access:

     • Upload a blank/custom HTML file as the login page (no authentication prompts).

   • Note: This stops browser-based logins but does not affect SAML redirects to IDPs.
     

     

     
     

3. Enforce Multi-Factor Authentication (MFA)

   • For LDAP/Radius:

     • Create an Authentication Profile requiring both credentials and certificates.

     • Assign this profile to GlobalProtect.

   • For SAML:

     • Redirect authentication to an Identity Provider (IdP) with built-in MFA (e.g., Azure AD, Okta).
       

       

4. Monitor and Refine

   • Check GlobalProtect logs for blocked IPs (filter by action=deny).

   • Regularly update EDLs to include new malicious IPs.

Key Considerations

• Rule Order: Ensure Embargo rules are at the top of the security rule hierarchy.

• Clientless VPN Impact: Disabling the portal login breaks clientless VPN—only proceed if unused.

• SAML Compatibility: Disabling the portal login does not affect SAML flows (authentication occurs at the IdP).
  

  

Example Configuration

Benefits

• Immediate Blocking: Embargo rules prevent malicious IPs from reaching authentication.

• Reduced Attack Surface: MFA and portal login removal add layers of defense.

• Dynamic Updates: EDLs automatically refresh to block emerging threats.

By prioritizing Embargo rules, disabling unnecessary access points, and enforcing MFA, you significantly reduce exposure to brute force attacks.