Global Blacklist in NGAF

wow Lv1Posted 2024-Jul-17 09:29

Hii everyone, I want to ask about NGAF. So there is 1 public IP that is brute force on the NGAF web UI. log in forcefully and repeatedly until you enter the global blacklist, but after entering the global blacklist the IP is still detected and bruteforced to log in to NGAF with a Public IP
Has anyone experienced the same thing?

Enrico Vanzetto has solved this question and earned 10 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

Hi, unfortunately this is normal as everyday we get alerts about unauthorized attempts on our customer's firewalls. You can set a policy that allows you to publish your firewall's web ui (i mean the ssl vpn portal) to some specific public ip.  You can submit this malicious ip to sangfor tech support in order to allow them to include on blacklist.
Is this answer helpful?
Rendy Rinaldy Lv1Posted 2024-Jul-22 15:44
  
This is a common thing when we open a Public IP. If the attacker's public IP does not belong to you, ignore it, but you must strengthen your defenses, one of which is utilizing IP filtering, by limiting access to trusted IPs only, such as closing IPs based on regional countries and closing ports that are not needed.
Sheikh_Shani Lv2Posted 2024-Jul-20 02:36
  
Hello Dear

I understand your concern. You're experiencing a brute force attack on your NGAF web UI, and despite the IP being added to the global blacklist, the attacks continue. This is a security concern, and I'll offer some suggestions to help you address this issue:

1. Verify blacklist configuration: Double-check your global blacklist configuration to ensure it's set up correctly. Make sure the IP address is correctly entered and that the blacklist is enabled.
2. Increase blacklist timeout: Consider increasing the blacklist timeout to prevent the IP from being removed too soon. This will give you more time to investigate and take action.
3. Enable rate limiting: Activate rate limiting on your NGAF web UI to restrict the number of login attempts from a single IP address within a specified time frame.
4. Implement CAPTCHA: Add a CAPTCHA challenge to your NGAF web UI login page to prevent automated brute force attacks.
5. Monitor logs: Closely monitor your NGAF logs to detect and respond to brute force attacks in real-time.
6. Consider a WAF: If you haven't already, consider deploying a Web Application Firewall (WAF) to provide an additional layer of protection against brute force attacks and other web-based threats.

Remember to stay vigilant and continuously monitor your NGAF security to prevent and respond to potential threats. If you need further assistance or have questions, feel free to ask!
mdamores Posted 2024-Jul-19 21:16
  
It looks like you are facing a persistent brute force attack where attempts are continuous  even if the attacker is already added to the global blacklist. You may want to try suggestions below to try mitigating the issue:
1. Review blacklist configuration and ensure that global blacklist is configured correctly and that the IP address of the attacker is blocked.
2. Try updating the firmware of your Sangfor NGAF since in some cases, security patches and improvements are included in the updates
3. Utilize Sangfor Advanced Bot detection features to help you identify and block automated scripts
4. Consider implementing geo-blocking to restrict access if it’s coming from a certain region
5. Try implementing rate limiting to restrict numbers of login attempts from single IP address within a certain timeframe
6.You may try increasing the logging level to gather logs and information about the attack
7. And finally, consult and reach out to Sangfor support for immediate assistance
Imran Tahir Lv4Posted 2024-Jul-19 19:45
  
in this way we can block the traffic of whole subnet and IP
wow Lv1Posted 2024-Jul-19 12:41
  
Hii guys, thanks for the anser ya
Prosi Lv3Posted 2024-Jul-18 20:33
  
Hi,

The step to strengthen your security measures:
Verify Blacklist Configuration: ensure that the IP address is correctly added to the global blacklist.
Firewall Rules: ensure that your firewall rules are correctly configured to block traffic from the blacklisted IP address.
Update NGAF: Ensure that your Sangfor NGAF firmware or software is up to date.
Review Logs: Regularly review your NGAF logs to monitor if the IP in question is indeed being blocked as expected.
Additional Security Measures:
Consider implementing rate limiting or CAPTCHA challenges to deter automated brute force attacks.
Use strong, complex passwords and implement multi-factor authentication (MFA) to further secure your login mechanisms.
Network Monitoring: Utilize network monitoring tools to watch for suspicious activity originating from the blacklisted IP or other sources.
IP Reputation Services: Consider integrating with IP reputation services that can automatically block IP addresses known for malicious activity.
Denny Chanditya Posted 2024-Jul-18 17:53
  
Is there no permitted ip address for accessing the device?
Tayyab0101 Lv2Posted 2024-Jul-18 17:51
  
unfortunately this is a very techincal and crirtical event and can be handled in various ways. however you can also report this to sangfor to add it in the blacklist.
Farina Ahmed Lv5Posted 2024-Jul-18 17:43
  
Yes, this issue can occur if the blacklist settings are not properly configured or if there are exceptions that allow the blocked IP to bypass the blacklist. Ensure that the global blacklist is correctly enforced and that there are no whitelist rules or other configurations that might be overriding the blacklist.
vesogi7900 Lv2Posted 2024-Jul-18 13:31
  
Brute force attacks on NGAF (Next-Generation Application Firewall) web UIs are a common security concern. Here are some steps you can take to mitigate and investigate this issue:

### Mitigation Steps

1. **Enable Rate Limiting**:
   - Configure rate limiting on the NGAF to limit the number of login attempts from a single IP address within a specified time frame.

2. **Use Multi-Factor Authentication (MFA)**:
   - Enable MFA for accessing the NGAF web UI to add an additional layer of security.

3. **Update Firmware**:
   - Ensure that your NGAF firmware is up-to-date with the latest security patches and updates.

4. **Implement Strong Password Policies**:
   - Enforce strong password policies to make brute force attacks more difficult.

5. **Network Access Control**:
   - Restrict access to the NGAF web UI to only trusted IP addresses through access control lists (ACLs).

6. **Monitor Logs**:
   - Continuously monitor logs for suspicious activities and set up alerts for unusual login attempts.

7. **Global Blacklist Configuration**:
   - Verify that the global blacklist settings are correctly configured and applied.
   - Check if there is a need to refresh or update the blacklist to ensure it is functioning correctly.

### Investigation Steps

1. **Check Logs for Blacklisted IP Activity**:
   - Examine the NGAF logs to determine if the blacklisted IP is still appearing. Look for entries that might indicate why the blacklist isn't effectively blocking the IP.

2. **Review Blacklist Configuration**:
   - Ensure that the IP is correctly added to the global blacklist. Sometimes, configuration errors can lead to ineffective blacklisting.

3. **Test Blacklist Effectiveness**:
   - Manually add a known IP to the global blacklist and attempt to access the NGAF web UI from that IP to verify that the blacklist is working as intended.

4. **Examine Network Configuration**:
   - Ensure that there are no network misconfigurations or routing issues that might allow the blacklisted IP to bypass the firewall rules.

5. **Check for IP Spoofing**:
   - Investigate the possibility of IP spoofing, where an attacker may be manipulating IP packets to appear as if they are coming from a blacklisted IP.

### Advanced Security Measures

1. **Geo-IP Blocking**:
   - If the attack originates from a specific region, consider implementing geo-IP blocking to restrict access from that region.

2. **Intrusion Detection and Prevention Systems (IDPS)**:
   - Deploy an IDPS to detect and prevent brute force attacks and other suspicious activities.

3. **Security Information and Event Management (SIEM)**:
   - Integrate NGAF logs with a SIEM system to gain better visibility and correlation of security events across your network.

### Example Configuration

Here’s a basic example of how you might configure rate limiting and IP blacklisting on an NGAF:

1. **Rate Limiting**:
   - Go to **Security Policies** > **Rate Limiting**.
   - Set a rule to limit login attempts to, for example, 5 attempts per minute from a single IP.

2. **IP Blacklisting**:
   - Go to **Security Policies** > **IP Blacklist**.
   - Add the suspicious IP address to the blacklist with a description and an expiration time if needed.

3. **Access Control**:
   - Go to **System** > **Administration** > **Access Control**.
   - Define trusted IP addresses that are allowed to access the NGAF web UI.

4. **Multi-Factor Authentication**:
   - Go to **System** > **Authentication** > **MFA**.
   - Enable MFA and configure it for all admin users.

By following these steps, you can strengthen the security of your NGAF web UI and reduce the risk of successful brute force attacks. If the issue persists, consider contacting Sangfor support for further assistance.

I Can Help:

Change

Moderator on This Board

11
8
5

Started Topics

Followers

Follow

1
3
5

Started Topics

Followers

Follow

0
4
5

Started Topics

Followers

Follow

67
20
3

Started Topics

Followers

Follow

3
14
3

Started Topics

Followers

Follow

1
139
3

Started Topics

Followers

Follow

Board Leaders