How are people blocking inbound anonymized VPN Traffic (e.g. PIA, NordVPN, etc) through Panorama? I know we can block the IP ranges, but that seems like a mouse/cat problem. Is there a better way to handle this (e.g. Appids?)
The way palo alto works is to block everything except your needed traffic. It’s not needed to block anything specifically.
So only allow what you need and you are good.
I’d say your best bet is to figure out what traffic is necessary for inbound (eg global protect, locally hosted web servers, SIP etc) create rules for them, and then create a rule below all of those that is from untrust zone to untrust zone, any/any drop.
I’m not sure to understand. You want to block traffic coming from termination point of vpn (server node)? Like somebody connect to a VPN service, then browse your website from this node?
If it is the case, as those servers are vpn termination points, it is routing the real traffic, or proxyfing it. In both cases, you cannot differentiate the traffic from a direct laptop connection or a VPN termination point except the public source IP.
Do a packet capture, you will see it is the same. Some badly configured online proxy services and not vpn could have a specific user agent in http, in this case it is your WAF which will filter it.
For all other cases, the only differentiating detail is the IP. I had the same issue with Tor exit nodes and had to create an EDL to get it automated. May be the EDL is the answer your are looking for.
Maybe A1 in below article?
I guess that is the crux of the question – how? I can try to manually block IPs/CIDR of known VPNs but that becomes a cat/mouse game as they migrate their VPNs to new IaaS.
I’ve toyed with the idea of creating an EDL and working on automating it to update based on some other public/private IP/ranges.
Thanks for this tid-bit I’ll definitely check it out!
Maybe you need to elaborate what you mean with incoming VPN traffic?
My first thought was that you have IPsec tunnels to other partners or service providers where you wanted to block their incoming requests, but I guess that is not what you meant.
So what is your incoming vpn traffic you are worried about? Do you want to block acces to your websites from known vpn providers? That would not be VPN traffic
I understand and apologize for the confusion. I edited the post. I meant to put ‘anonymized VPN traffic’, so not IPSec to our network but someone using NordVPN/PIA/etc traversing ingress into our network.
Ideally block inbound traffic to some of our hosts from those known VPN providers.
ok got it now, this is quite difficult because traffic from the e.g. nord VPN servers is basically like every other incoming traffic from the internet except that the source is from a nord VPN server.
Even SSL Decryption will probably not help much because it is legit traffic and not ipsec or any blockable application.
Outbound would be much easier but inbound seems kind of impossible without blocking the nord vpn address range.
Yea, I didn’t see a clear path forward but I suspected that other firms may have the same challenge.