Global Blacklist in NGAF

wow Lv1Posted 17 Jul 2024 09:29

Hii everyone, I want to ask about NGAF. So there is 1 public IP that is brute force on the NGAF web UI. log in forcefully and repeatedly until you enter the global blacklist, but after entering the global blacklist the IP is still detected and bruteforced to log in to NGAF with a Public IP
Has anyone experienced the same thing?

Enrico Vanzetto has solved this question and earned 10 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

Hi, unfortunately this is normal as everyday we get alerts about unauthorized attempts on our customer's firewalls. You can set a policy that allows you to publish your firewall's web ui (i mean the ssl vpn portal) to some specific public ip.  You can submit this malicious ip to sangfor tech support in order to allow them to include on blacklist.
Is this answer helpful?
Enrico Vanzetto Lv4Posted 17 Jul 2024 15:59
  
Hi, unfortunately this is normal as everyday we get alerts about unauthorized attempts on our customer's firewalls. You can set a policy that allows you to publish your firewall's web ui (i mean the ssl vpn portal) to some specific public ip.  You can submit this malicious ip to sangfor tech support in order to allow them to include on blacklist.
jerome_itable Lv3Posted 17 Jul 2024 17:10
  
To help you address the situation with the public IP that's persistently trying to brute-force access to your Sangfor NGAF web UI.

Here are some legitimate recommendations:

1. Analyze NGAF Logs:

    Access the NGAF logs and analyze them to identify specific details about the brute-force attempts. Look for information like:
        Username(s) being targeted (if any)
        Time and frequency of attempts
        Originating IP address

2. Strengthen Login Security:

    Enable Account Lockout: Set a policy to lock the account after a specific number of failed login attempts. This discourages brute-force attacks.
    Implement Multi-Factor Authentication (MFA): MFA requires an additional verification step beyond the username and password, making it much harder for attackers to succeed.
    Strong Passwords: Enforce strong password policies for all NGAF user accounts. A strong password is long (at least 12 characters) and combines upper and lowercase letters, numbers, and symbols.

3. IP Blocking:

    Based on the identified IP address in the logs, you can consider blocking it at the NGAF firewall level. However, be cautious if the IP belongs to a legitimate source that might have accidentally triggered the brute-force attempts (e.g., a script malfunction).

4. Report Suspicious Activity:

    If you suspect a coordinated attack or have reason to believe the attempts originate from a malicious source, consider reporting the activity to relevant authorities.
Newbie290036 Lv4Posted 17 Jul 2024 18:58
  
This behavior is a known issue with Next-Generation Firewalls (NGAF) and is often referred to as "blacklisting" or "IP reputation" issues. When an IP address is added to the global blacklist, the NGAF should block traffic from that IP address, including login attempts. However, in this scenario, the IP address is still able to brute-force login attempts after being added to the global blacklist. This is because the NGAF may not have implemented a mechanism to permanently block the IP address, instead, it may only temporarily block the IP address for a specific period or until a certain threshold is reached. As a result, the attacker can continue to use the same public IP address to make repeated login attempts until they successfully gain access. To resolve this issue, it's recommended to implement additional security measures such as IP blocking for a longer period, limiting login attempts, or implementing CAPTCHA challenges to prevent automated attacks.
Zonger Lv5Posted 18 Jul 2024 04:42
  
If a public IP continues to attempt brute force logins on the Sangfor NGAF (Next-Generation Application Firewall) web UI even after being added to the global blacklist, it suggests a few potential issues. Firstly, ensure the blacklist configuration is correctly applied and enforced within NGAF settings. Verify that the IP address is correctly identified and added to the blacklist rules with the appropriate action (e.g., block). Check NGAF's configuration to ensure there are no conflicting or overriding rules that might allow the IP to continue attempts despite being blacklisted. Additionally, monitor NGAF logs closely to confirm that the blacklist entries are being updated and applied correctly in real-time.
vesogi7900 Lv2Posted 18 Jul 2024 13:31
  
Brute force attacks on NGAF (Next-Generation Application Firewall) web UIs are a common security concern. Here are some steps you can take to mitigate and investigate this issue:

### Mitigation Steps

1. **Enable Rate Limiting**:
   - Configure rate limiting on the NGAF to limit the number of login attempts from a single IP address within a specified time frame.

2. **Use Multi-Factor Authentication (MFA)**:
   - Enable MFA for accessing the NGAF web UI to add an additional layer of security.

3. **Update Firmware**:
   - Ensure that your NGAF firmware is up-to-date with the latest security patches and updates.

4. **Implement Strong Password Policies**:
   - Enforce strong password policies to make brute force attacks more difficult.

5. **Network Access Control**:
   - Restrict access to the NGAF web UI to only trusted IP addresses through access control lists (ACLs).

6. **Monitor Logs**:
   - Continuously monitor logs for suspicious activities and set up alerts for unusual login attempts.

7. **Global Blacklist Configuration**:
   - Verify that the global blacklist settings are correctly configured and applied.
   - Check if there is a need to refresh or update the blacklist to ensure it is functioning correctly.

### Investigation Steps

1. **Check Logs for Blacklisted IP Activity**:
   - Examine the NGAF logs to determine if the blacklisted IP is still appearing. Look for entries that might indicate why the blacklist isn't effectively blocking the IP.

2. **Review Blacklist Configuration**:
   - Ensure that the IP is correctly added to the global blacklist. Sometimes, configuration errors can lead to ineffective blacklisting.

3. **Test Blacklist Effectiveness**:
   - Manually add a known IP to the global blacklist and attempt to access the NGAF web UI from that IP to verify that the blacklist is working as intended.

4. **Examine Network Configuration**:
   - Ensure that there are no network misconfigurations or routing issues that might allow the blacklisted IP to bypass the firewall rules.

5. **Check for IP Spoofing**:
   - Investigate the possibility of IP spoofing, where an attacker may be manipulating IP packets to appear as if they are coming from a blacklisted IP.

### Advanced Security Measures

1. **Geo-IP Blocking**:
   - If the attack originates from a specific region, consider implementing geo-IP blocking to restrict access from that region.

2. **Intrusion Detection and Prevention Systems (IDPS)**:
   - Deploy an IDPS to detect and prevent brute force attacks and other suspicious activities.

3. **Security Information and Event Management (SIEM)**:
   - Integrate NGAF logs with a SIEM system to gain better visibility and correlation of security events across your network.

### Example Configuration

Here’s a basic example of how you might configure rate limiting and IP blacklisting on an NGAF:

1. **Rate Limiting**:
   - Go to **Security Policies** > **Rate Limiting**.
   - Set a rule to limit login attempts to, for example, 5 attempts per minute from a single IP.

2. **IP Blacklisting**:
   - Go to **Security Policies** > **IP Blacklist**.
   - Add the suspicious IP address to the blacklist with a description and an expiration time if needed.

3. **Access Control**:
   - Go to **System** > **Administration** > **Access Control**.
   - Define trusted IP addresses that are allowed to access the NGAF web UI.

4. **Multi-Factor Authentication**:
   - Go to **System** > **Authentication** > **MFA**.
   - Enable MFA and configure it for all admin users.

By following these steps, you can strengthen the security of your NGAF web UI and reduce the risk of successful brute force attacks. If the issue persists, consider contacting Sangfor support for further assistance.
Farina Ahmed Lv5Posted 18 Jul 2024 17:43
  
Yes, this issue can occur if the blacklist settings are not properly configured or if there are exceptions that allow the blocked IP to bypass the blacklist. Ensure that the global blacklist is correctly enforced and that there are no whitelist rules or other configurations that might be overriding the blacklist.
Tayyab0101 Lv2Posted 18 Jul 2024 17:51
  
unfortunately this is a very techincal and crirtical event and can be handled in various ways. however you can also report this to sangfor to add it in the blacklist.
Denny Chanditya Lv2Posted 18 Jul 2024 17:53
  
Is there no permitted ip address for accessing the device?
Prosi Lv3Posted 18 Jul 2024 20:33
  
Hi,

The step to strengthen your security measures:
Verify Blacklist Configuration: ensure that the IP address is correctly added to the global blacklist.
Firewall Rules: ensure that your firewall rules are correctly configured to block traffic from the blacklisted IP address.
Update NGAF: Ensure that your Sangfor NGAF firmware or software is up to date.
Review Logs: Regularly review your NGAF logs to monitor if the IP in question is indeed being blocked as expected.
Additional Security Measures:
Consider implementing rate limiting or CAPTCHA challenges to deter automated brute force attacks.
Use strong, complex passwords and implement multi-factor authentication (MFA) to further secure your login mechanisms.
Network Monitoring: Utilize network monitoring tools to watch for suspicious activity originating from the blacklisted IP or other sources.
IP Reputation Services: Consider integrating with IP reputation services that can automatically block IP addresses known for malicious activity.

I Can Help:

Change

Moderator on This Board

11
6
5

Started Topics

Followers

Follow

1
2
5

Started Topics

Followers

Follow

0
3
4

Started Topics

Followers

Follow

67
19
3

Started Topics

Followers

Follow

3
10
3

Started Topics

Followers

Follow

1
137
3

Started Topics

Followers

Follow

Board Leaders