Security teams should treat the recent spike in login traffic against GlobalProtect portals as a serious alarm. Between November 14 and 19, 2025, threat-intelligence sensors logged roughly 2.3 million sessions hitting the /global-protect/login.esp endpoint on PAN-OS and GlobalProtect gateways. That represents a nearly 40× increase in daily scan volume, hitting the highest level seen in a 90-day window.
The volume and consistency suggest this is not random background noise or opportunistic scanning — attackers are conducting a coordinated, high-intensity reconnaissance effort, likely probing for vulnerable or exposed VPN portals.
𝗧𝗵𝗲 𝗔𝘁𝘁𝗮𝗰𝗸 𝗣𝗮𝘁𝘁𝗲𝗿𝗻: What the Data Shows
Analysis of scanning infrastructure reveals persistent patterns. Most traffic originates from AS200373 (3xK Tech GmbH) — about 62% of the activity geolocates to Germany — and a second ASN, AS208885, also shows repeated involvement. Target regions include the United States, Mexico, and Pakistan, with volumes appearing roughly equal. That geographic spread points to a broad, opportunistic campaign rather than a nation-state-style targeted attack.
This wave follows a pattern observed earlier in 2025, when about 24,000 unique IP addresses engaged in scanning activity against GlobalProtect gateways a likely precursor to attempts exploiting vulnerabilities or credential-based attacks.
𝗧𝗵𝗲 𝗥𝗶𝘀𝗸: Why This Matters Now
Even if no zero-day exploit is currently known or in play, this scale of login probes increases the odds of successful credential stuffing or brute-force attacks, especially against organizations with weak password policies, missing multi-factor authentication (MFA), or exposed portal endpoints.
Furthermore, security research shows that such intense reconnaissance efforts often precede vulnerability disclosures or exploitation attempts. For systems running GlobalProtect or PAN-OS, a proactive review and hardening of configurations is strongly advised.
𝗧𝗲𝗰𝗵𝗻𝗶𝗰𝗮𝗹 Recommendations: Defend Against GlobalProtect Login Assaults
-
Enable the built-in brute-force detection signature: ID 40169, which triggers after multiple authentication failures within a short time window.
-
Consider disabling the public VPN web-portal (
/global-protect/login.esp) if your environment doesn’t require it — blocking HTTP(s) access significantly reduces the attack surface. -
Enforce MFA for all VPN users. Password-only access under brute-force pressure is high risk.
-
Implement geofencing or IP-whitelisting — restrict login access to known, trusted IP ranges where feasible. This avoids exposure from wide-scale global scanning campaigns.
-
Monitor VPN logs actively for spikes in failed logins, anonymous IP sources, or unexpected authentication flows. Plan regular log review and alerting.
-
Keep PAN-OS and GlobalProtect software versions fully up-to-date. Any patches for authentication bypass, RCE, or login-portal hardening should be applied immediately.
𝗟𝗼𝗼𝗸𝗶𝗻𝗴 𝗕𝗲𝘆𝗼𝗻𝗱 𝗝𝘂𝘀𝘁 𝗖𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹 𝗔𝗱𝘁𝘁𝗲𝗺𝗽𝘁𝘀
Because VPN login portals remain a high-value target, organizations should treat any surge even unsuccessful login attempts, as potentially serious reconnaissance. Historical patterns show that adversaries often couple such scanning with attempts to exploit unpatched vulnerabilities or zero-days soon after.
Therefore, beyond brute-force and MFA defenses, teams should adopt a defense-in-depth strategy: network segmentation, strict access controls, hardened firewall rules, and continuous monitoring of unusual activity.
𝗙𝗔𝗤𝘀
Why are these login attempts happening now?
Because attackers frequently scan internet-facing VPN portals to discover exposed or misconfigured systems they can target. The recent 2.3 M session surge suggests a coordinated campaign possibly testing for weak credentials, default configurations, or even unpatched vulnerabilities.
Does a failed login surge mean my system was exploited?
Not necessarily, but it does raise red flags. A high volume of failed login attempts (especially from many unique IPs) strongly indicates reconnaissance or brute-force attempts. Combined with exposed portals or weak authentication, this increases risk. It warrants immediate review and hardening.
What immediate actions should admins take?
Enable brute-force detection signatures, enforce MFA, restrict portal access via IP-whitelisting or geofencing, disable public login pages if unnecessary, and monitor login logs closely for abnormal patterns.
Is patching PAN-OS enough to stop this?
Patching helps, but isn’t sufficient alone. Because many of these attempts rely on credential stuffing or brute-force, strong authentication controls, portal access restrictions, and logging/alerting are critical.
Could this surge be a false positive or mis-classification?
While possible, the scale (millions of sessions), consistent origin ASNs, and repeated historical patterns strongly suggest it’s intentional malicious activity not random noise.
