Unprecedented Surge: Nearly 24,000 IPs Target PAN-OS GlobalProtect Gateways in Coordinated Attack​

So, here we are again. Another month, another ominous scanstorm pounding the perimeter. This time, it’s Palo Alto Networks in the spotlight, specifically their PAN-OS GlobalProtect gateways — the sort of gear you'd hope people secure properly, considering it often sits right at the front door of enterprise networks.

But hey, hope isn't a strategy.

From March 17 to March 26, a wave of nearly 24,000 unique IP addresses took turns hammering on PAN-OS GlobalProtect instances across the internet. This wasn’t one chancer running a bad Python script on a rented VPS. This was coordinated. Persistent. And to anyone paying attention, deeply familiar.

Let’s do the numbers:

• Daily peak? Over 23,950 unique IPs.

• Duration? 10 days of probing, mostly in high gear.

• Malicious flagging? Only 154 IPs were known-bad. That means 24,000 minus 154 are either new, clean, or being cleverly rotated.

That’s not a botnet gone wild. That’s reconnaissance. Someone’s mapping the battlefield before rolling out artillery.

And what were they looking for? Weak creds. Misconfigured portals. Forgotten test boxes someone left exposed "just temporarily" two years ago. Classic low-hanging fruit.

Oh, but it gets better. The majority of this probing came from the US and Canada, with supporting acts from Finland, the Netherlands, and Russia. The targets? US, UK, Ireland, Singapore, and Russia again — so this wasn’t a regional shakedown. This was global.

Let’s not pretend this is some surprise either. As Bob Rudis, VP of Data Science at GreyNoise (the people who monitor all this background noise) put it:

“We’ve seen this again and again. Targeted login scanning. Then — boom — a new vulnerability drops 2 to 4 weeks later. It’s like clockwork.”

In other words: this may not be the main event. This might just be the warm-up.

If You Run GlobalProtect — Wake Up

So if you’re responsible for one of these gateways and you still haven’t locked it down, here's your checklist before you become tomorrow’s breach headline:

1. Patch Like Your Job Depends on It (Because It Does)

Start with a hard audit. Are you even on a supported firmware? Have you patched in the last 30 days? Palo Alto pushed multiple security updates in Jan and Feb, including fixes for remote code execution bugs. If you’re even slightly behind, you’re exposed.

2. Get Eyes on the Logs

You should already have telemetry. If not — why the hell not? Log in attempts from weird geos, failed authentication spikes, session floods — all of that is your early warning system.

3. Tighten Access Controls

Disable unused portals. Geo-block where you can. Enforce MFA with hardware tokens or app-based auth — not bloody SMS. Reduce the attack surface, and keep the attack bots guessing.

4. Monitor Everything

That includes internal monitoring. If they get past your gateway, you need to know before they’ve had tea and biscuits in your domain controller.

This Isn’t Just Palo Alto’s Problem

The wider point? This is how cybercrime works in 2025. Reconnaissance isn’t a phase. It’s a service. Some groups scan, some sell access, others weaponise exploits the moment a vendor blinks.

And yet — people still run kit like this without proper hardening or monitoring. They still rely on default configs, exposed services, and a vague belief that “no one would target us.”

Newsflash: You just got scanned. You are being targeted. You were already in someone’s spreadsheet of potential entry points.

This isn’t FUD. It’s facts.

The Takeaway

PAN-OS GlobalProtect is enterprise kit. It deserves enterprise-grade defence. The scale and coordination of this scan suggests something bigger is coming. Whether that’s a new zero-day or a mass credential stuffing campaign, the message is clear:

You don’t get a second chance to patch after the breach.

So stop waiting. Audit. Harden. Monitor. And if you can’t do that internally — bring someone in who can.