cloud1
cloud2
cloud3
cloud4
cloud5
cloud6
← Back to annotator catalog
Firewall/VPN Console Probing signal illustration
Annotator fwprobe

Firewall/VPN Console Probing

Requests match known firewall, VPN, and gateway admin/login surfaces or client artifacts, indicating explicit probing of security-device endpoints.

Attack family · Security appliance reconnaissance Phase · Perimeter discovery and initial access Risk · Critical
How It Works Recent Real Samples

What This Annotator Watches

This explanation is derived from the live annotator implementation, not hand-waved catalog copy.
Focus
  • Firewall, VPN, and gateway admin surfaces
  • Vendor-specific security-device portals and APIs
  • Client artifacts that look like security-device probing
Logic
  • Strong path hits for Fortinet, Palo Alto, Cisco, F5, Pulse/Ivanti, and similar products emit on their own.
  • Known VPN/firewall client user-agents also emit directly.
  • Generic firewall or VPN hints only upgrade when several weak clues appear together.
Attack Family
Security appliance reconnaissance
Phase · Perimeter discovery and initial access Risk · Critical
Exposed firewall, VPN, and gateway consoles are high-value targets because they sit at trust boundaries. When attackers find them, the payoff can be domain access, remote footholds, and rapid enterprise spread.
Damage Patterns
  • Compromised VPN and firewall portals can lead directly to privileged network access, credential theft, and post-auth lateral movement.
  • The damage is often outsized because a perimeter device can collapse segmentation and visibility at once.
Incident Lore
  • Ransomware and intrusion crews have repeatedly used exposed VPN and firewall portals as the front door into larger environments.
  • The lore here is brutal: once the perimeter admin surface is reachable, the attacker no longer needs to guess where the trust boundary lives.
How To Read It
Use this when you want to know whether the traffic is intentionally hunting security-device consoles rather than generic web pages.
Defender Takeaway
Treat this as perimeter pressure. The attacker is not browsing your website; they are looking for the keys to the gate.
Catalog Definition
Flags requests that hit known firewall, VPN, and gateway management or login surfaces such as Fortinet remote-login paths, Palo Alto GlobalProtect portals, Cisco ASA/WebVPN prefixes, F5 TMUI routes, Pulse/Ivanti auth paths, and similar vendor-specific endpoints. It also emits on distinctive firewall/VPN client user agents, while generic keywords like "firewall" or "vpn" only count when combined with other hints such as 401/403 responses. This annotator is meant to surface informed attackers and scanners explicitly probing security-device consoles and portal surfaces, not generic payload injection. Interpret alongside scan velocity, Never-200-like behavior, and credential brute-force signals.

10 Most Recent Real Samples

Weekly cached from live annotated access events so the catalog stays fast.
Week
2026W15
Lookback
30 days
Total matched
121
Latest sample
Apr 05, 2026 • 18:21
Top rules
fwprobe:paloalto:globalprotect_or_sslvpn_esp · 2 fwprobe:checkpoint:sslvpn_root · 2 fwprobe:sonicwall:sslvpn_surface · 2
Top requester orgs
Unique IP Solutions private Limited · 6 FBW NETWORKS · 2 IT Hostline Ltd · 1
Severity mix
28 · 5 26 · 2 32 · 2 34 · 1
Method mix
GET · 9 POST · 1
GET 404 28
Apr 05, 2026 • 18:21
/remote/login
Fortinet SSL-VPN / remote login endpoint probe
IP 213.166.94.153 Subnet 213.166.94.0/24 Org IT Hostline Ltd Country United States Rule fwprobe:fortinet:remote_login_or_sslvpn
GET 404 28
Apr 05, 2026 • 09:56
/global-protect/login.esp
Palo Alto GlobalProtect / SSL-VPN portal probe
IP 91.92.21.182 Subnet 91.92.21.0/24 Org Unique IP Solutions private Limited Country Cyprus Rule fwprobe:paloalto:globalprotect_or_sslvpn_esp
GET 404 28
Apr 05, 2026 • 09:56
/global-protect/login.esp
Palo Alto GlobalProtect / SSL-VPN portal probe
IP 91.92.21.182 Subnet 91.92.21.0/24 Org Unique IP Solutions private Limited Country Cyprus Rule fwprobe:paloalto:globalprotect_or_sslvpn_esp
GET 404 26
Apr 05, 2026 • 09:56
/sslvpn
Check Point SSL-VPN root probe
IP 91.92.21.182 Subnet 91.92.21.0/24 Org Unique IP Solutions private Limited Country Cyprus Rule fwprobe:checkpoint:sslvpn_root
GET 404 28
Apr 05, 2026 • 09:56
/sslvpn
SonicWall SSL-VPN portal probe
IP 91.92.21.182 Subnet 91.92.21.0/24 Org Unique IP Solutions private Limited Country Cyprus Rule fwprobe:sonicwall:sslvpn_surface
GET 404 26
Apr 05, 2026 • 09:56
/sslvpn
Check Point SSL-VPN root probe
IP 91.92.21.182 Subnet 91.92.21.0/24 Org Unique IP Solutions private Limited Country Cyprus Rule fwprobe:checkpoint:sslvpn_root
GET 404 28
Apr 05, 2026 • 09:56
/sslvpn
SonicWall SSL-VPN portal probe
IP 91.92.21.182 Subnet 91.92.21.0/24 Org Unique IP Solutions private Limited Country Cyprus Rule fwprobe:sonicwall:sslvpn_surface
POST 400 34
Apr 05, 2026 • 03:41
/mgmt/tm/util/bash
F5 BIG-IP /mgmt/tm API surface probe
IP 64.181.165.33 Subnet 64.181.165.0/24 Org Oracle Cloud Infrastructure (sa-saopaulo-1) Country Brazil Rule fwprobe:f5:mgmt_tm_api_surface
GET 404 32
Apr 04, 2026 • 17:18
/tmui/login.jsp/%2e.;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip%2econf
F5 BIG-IP TMUI surface probe
IP 185.177.72.38 Subnet 185.177.72.0/24 Org FBW NETWORKS Country France Rule fwprobe:f5:tmui_surface
GET 404 32
Apr 04, 2026 • 17:18
/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/api/.env
F5 BIG-IP TMUI surface probe
IP 185.177.72.38 Subnet 185.177.72.0/24 Org FBW NETWORKS Country France Rule fwprobe:f5:tmui_surface