geoblock on palo alto

The FW needs to see the IP before geoblock can be applied 

under monitor > logs > GlobalProtect

( stage eq 'login' ) and ( status eq 'success' )

Also

Network > Gateways, click on the "Remote Users" link on the right

There is also the option to create the NAT for the GP IP only for the geo locations allowed

Have a general security rules with geoblock to/from any deny

Have a security rule to allow access to the GP IP only from the approved countries

Set the countries up in the GP config (portal / gateway)

Config the geoblock on any 2FA you might be using for 2FA as well as another line of defence

Enable the palo EDL blocks and dynamic threats etc, strict IPS

exclude IP's from nessus scan

Say we want to exclude 101 and 102 we can create targets like so:

192.168.1.1-192.168.1.100, 192.168.1.103-192.168.1.254

Reducing scan impact:

1. Exclude or Limit Scanning of Network Infrastructure Devices

• Exclude devices like:

  • Firewalls

  • Switches

  • Wireless access points

  • Routers

• These devices often:

  • React poorly to port scans and probes

  • Have limited CPU/RAM for handling scan traffic

  • Could throttle or interrupt user traffic when overwhelmed

✅ Yes, you should exclude these devices unless you have a clear need to scan them and have coordinated with the network team.

---

✅ 2. Use Scan Throttling and Performance Settings

Adjust the performance settings in Nessus:

• Scan Configuration > Performance Settings:

  • Reduce the number of max simultaneous checks per host.

  • Lower the max simultaneous hosts scanned.

  • Increase the timeout to prevent retries.

  • Set network scan delay (e.g., 100–300 ms).

  • Use Safe Checks to avoid DoS-like behavior.

This reduces the burst load on the network and the devices.

---

✅ 3. Use Targeted or Segmented Scans

• Break the scan into smaller IP ranges or subnets.

• Focus on servers, endpoints, or business-critical systems first.

• Scan different segments at different times or windows.

This distributes the load and avoids network congestion.

---

✅ 4. Schedule Scans During Off-Hours

• Run scans during non-peak hours (e.g., late evening or weekends).

• Coordinate with the customer for a maintenance window.

This is often the simplest way to avoid affecting productivity.

---

✅ 5. Enable Credentialed Scanning Where Possible

• Credentialed scans are less noisy on the network.

• They use authenticated access (e.g., SSH, SMB) to gather data from inside the system.

More accurate and less intrusive than aggressive remote scans.

---

✅ 6. Use Passive or External Discovery Methods First

• Start with:

  • ARP sweep

  • DNS enumeration

  • SNMP discovery

  • Existing asset inventories

• Use these to map devices before a full vulnerability scan.

---

✅ 7. Communicate and Test First

• Run a scan in a test VLAN or lab to profile the impact.

• Communicate with the network and system admins.

• Make sure there’s monitoring in place to see how scans affect performance.

Nessus HSTS check and redirects HTTP 3xx codes

 https://community.tenable.com/s/article/Verify-strict-transport-security-header-for-HSTS-Missing-From-HTTPS-Server?language=en_US

curl -sSI http://domain.com/

Palo alto and azure SAML auth

KBs:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE

https://learn.microsoft.com/en-us/entra/identity/saas-apps/palo-alto-networks-globalprotect-tutorial

Generate the the cert and make it active

Delete the old cert

Wait a few minutes for azure cloud to update 

Download the xml

delete old certs from palo

Import the xml into palo this will create cert and SAML IDP profile

Don't tick validate check box

Select the new IDP profile in your azure auth profile

NAT rules on palo alto

 Making a note because its a bit different to cisco ASA

NAT rule

OUTSIDE > OUTSIDE 

Public src > Public dst

FW rule 

OUTSIDE > INSIDE (counted as inside because of the NAT)

Public src > Public dst