Recognize attack patterns in your PAN-OS logs, tune Threat ID 40017, and deploy an EDL blocklist to stop VPN brute force attacks on your GlobalProtect portal.
Start Blocking Attacks — 30-Day Free TrialIf you're seeing these events in your PAN-OS logs, your GlobalProtect portal is being targeted by brute force bots. Here's how to confirm and respond.
Open Monitor > Logs > System and filter for subtype eq globalprotect. If you see hundreds of auth-fail entries from different source IPs, you are under active brute force attack.
Check Monitor > Logs > Threat and filter for threatid eq 40017. This is Palo Alto's built-in brute force detection signature. If it's firing, a single IP has exceeded the failed-login threshold (default: 10 attempts in 60 seconds).
reset-both or drop in your Vulnerability Protection profile. See the tuning section below.
Brute force attacks trigger AD account lockout policies. If your helpdesk is seeing 50+ accounts locked per day — especially accounts like admin, administrator, vpnuser, and real employee usernames — the cause is almost certainly external brute force against your GlobalProtect portal, not internal users forgetting passwords.
GlobalProtect VPN portals are publicly reachable by design. Attackers run automated credential campaigns against them 24/7 using three main techniques.
Attackers take username/password pairs leaked from data breaches and try them against your VPN portal. If any employee reuses a password from a breached site, the attacker gets in.
Instead of many passwords against one user, the attacker tries a small set of common passwords against many usernames. This stays under per-user lockout thresholds.
Modern attacks use thousands of source IPs (botnets or residential proxies). Each IP sends only 2–5 attempts, staying under per-IP detection thresholds like Threat ID 40017.
GlobalProtect portals may return different error messages for "user not found" vs "wrong password." Attackers use this to build a list of valid usernames before launching the real attack.
Threat ID 40017 detects per-IP brute force attempts. Here's how to tune it from alert-only to active blocking — and why it's not enough on its own.
Navigate to Objects > Security Profiles > Vulnerability Protection. Select the profile applied to your GlobalProtect security rule (or create a new one).
Click Exceptions, then Show All Signatures. Search for 40017. Click the entry to edit it. Change the Action from default (alert) to reset-both. This kills the TCP session on both sides when brute force is detected.
Default threshold: 10 failed attempts in 60 seconds from one IP. For GlobalProtect, consider lowering to 5 attempts in 120 seconds. This catches slower attackers while still allowing legitimate users who mistype their password.
Ensure the Vulnerability Protection profile is attached to the security rule that handles your GlobalProtect traffic. Commit the configuration.
Add ThreatListPro's curated VPN brute force blocklist as an External Dynamic List on your PAN-OS firewall.
Sign up at threatlistpro.com and copy your unique feed URL from the dashboard. It looks like:https://feed.threatlistpro.com/v1/edl/YOUR_API_KEY
Navigate to Objects > External Dynamic Lists. Click Add. Set the name to ThreatListPro-VPN, type to IP List, and paste your feed URL. Set the repeat interval to 5 minutes.
Go to Policies > Security and add a new rule. Set the source zone to Untrust, source address to the EDL object ThreatListPro-VPN, destination to your GlobalProtect interface, and action to Deny. Place this rule above your existing allow rules.
Commit the configuration. Navigate to Objects > External Dynamic Lists, select the list, and click Test Source URL to verify IPs are loading. Check the Traffic log to confirm blocks are occurring.
Combine a pre-built blocklist (EDL) with real-time local detection (Dynamic Address Group) for layered protection that handles both known and unknown attackers.
The ThreatListPro EDL blocks ~1,600 known VPN brute force IPs before they even connect. These are IPs confirmed attacking VPN portals worldwide. The traffic is dropped at the network layer — no CPU spent on TLS handshakes or login processing.
A Dynamic Address Group auto-tags source IPs that trigger Threat ID 40017 on your firewall. These are new attackers not yet in any blocklist. Once tagged, they're automatically added to a block rule — no manual intervention needed.
This PAN-OS configuration creates a feedback loop: Threat ID 40017 detects brute force → auto-tags the source IP → DAG membership updates → block rule applies instantly.
Each approach handles a different part of the problem. The recommended strategy stacks all three.
| Capability | ThreatListPro EDL | Threat ID 40017 | DAG Auto-Tag | MFA |
|---|---|---|---|---|
| Blocks known attackers | ✓ | ✗ | ✗ | ✗ |
| Detects new attackers in real-time | ✗ | ✓ | ✓ | ✗ |
| Stops distributed attacks | ✓ | ✗ | ✗ | ✓ |
| Prevents credential reuse | ✗ | ✗ | ✗ | ✓ |
| Reduces log noise | ✓ | ✗ | ✓ | ✗ |
| Prevents AD lockouts | ✓ | ✓ | ✓ | ✗ |
| Setup time | 5 min | 10 min | 15 min | Weeks |
| Ongoing maintenance | None (auto-updates) | None | None | User enrollment |
Check your PAN-OS System logs for repeated auth-fail events from many different source IPs against your GlobalProtect portal. Look for Threat ID 40017 in your Threat logs. Common signs include hundreds of failed login attempts per hour, authentication failures from IPs in countries where you have no employees, and Active Directory account lockouts caused by external login attempts.
Threat ID 40017 is Palo Alto's built-in brute force detection signature. It triggers when a single source IP exceeds a threshold of failed login attempts (default: 10 in 60 seconds). You can tune the threshold and action under Objects > Security Profiles > Vulnerability Protection. It detects per-IP brute force but misses distributed attacks from many IPs.
EDL + DAG stacking combines an External Dynamic List (pre-built blocklist of known attacker IPs) with a Dynamic Address Group (auto-tagging IPs that trigger local brute force detection). The EDL blocks known attackers before they connect. The DAG catches new attackers in real time. Together, they provide both proactive and reactive defense.
In PAN-OS, navigate to Objects > External Dynamic Lists, click Add, set the type to IP List, and paste your ThreatListPro feed URL. Set the refresh interval to 5 minutes. Then reference this EDL in a Security Policy rule to block inbound traffic from those IPs to your GlobalProtect portal.
Yes. ThreatListPro serves a standard plaintext IP list compatible with all PAN-OS versions that support External Dynamic Lists, including PAN-OS 9.x, 10.x, and 11.x. No special configuration or minimum version is required.
ThreatListPro updates its curated VPN brute force blocklist weekly. The list contains approximately 1,600 high-confidence attacker IPs verified through behavioral correlation across thousands of VPN sensors worldwide. Your Palo Alto firewall can refresh the EDL as frequently as every 5 minutes.
Join hundreds of network admins who block VPN brute force attacks automatically. 30-day free trial, no credit card required.
Start Free Trial — $9.99/moThreatListPro provides a standard IP blocklist feed compatible with any firewall that supports external lists.
Learn more about IP blocklists, VPN security, and advanced defense strategies.