Current State Assessment

Infrastructure Overview

Site	Firewall	ISP	Network	Domain Controllers
Honolulu	Palo Alto PA-2020 (10.100.7.1)	Spectrum (98.147.1.83)	10.100.7.0/24	AD0 (10.100.7.10), AD1 (10.100.7.11)
Boulder	Netgate 6100 pfSense+ (10.15.0.254)	Comcast (50.198.217.249)	10.15.0.0/24	AD1 (10.15.0.10), AD2 (10.15.0.11)

Identity: On-premises Active Directory at both sites, synced to Microsoft Entra ID via Entra Connect.

PA-2020 End-of-Life Status

Milestone	Date
End-of-Sale	April 30, 2015
End-of-Service-Life	April 30, 2020
Maximum PAN-OS	7.1 (EOL June 30, 2020)
Security updates available	NONE since June 2020
Years unsupported	~6 years

The PA-2020 has been out of support longer than many organizations’ entire hardware lifecycle. Palo Alto Networks will not sell renewal subscriptions for this device. No security patches, no threat intelligence updates, and no vendor support of any kind are available.

VPN Usage Patterns

User Group	% of Users	VPN Usage	Frequency
General Staff	~90%	AD password reset only	Every 4 months
Power Users (Engineers)	~10%	SMB shares, RDP, CAD/GIS/SAGE access	Daily

The vast majority of VPN connections exist solely to maintain connectivity to a Domain Controller for password changes.

Security Vulnerabilities Identified

An external assessment of vpn.gsisg.com revealed the following:

Finding	Severity	Detail
PA-2020 End-of-Service-Life	CRITICAL	6 years unsupported, zero security patches available
Login portal publicly exposed	CRITICAL	Directly targeted by automated credential-spraying campaign
TLS 1.0 enabled	HIGH	Deprecated protocol
TLS 1.1 enabled	HIGH	Deprecated protocol
No Forward Secrecy (PFS)	HIGH	Only RSA key exchange — no ECDHE/DHE ciphers
3DES cipher suites enabled	MEDIUM	Vulnerable to SWEET32 attack
Unsafe legacy renegotiation	MEDIUM	Vulnerable to MitM renegotiation attacks

Note on CVEs: While high-profile CVEs (CVE-2024-3400 CVSS 10.0, CVE-2024-0012 CVSS 9.3, CVE-2024-9474 CVSS 7.2) don’t directly affect the PA-2020 (they require PAN-OS 10.2+), this is NOT a security advantage. The PA-2020 runs code so old it falls outside the scope of modern vulnerability research. Undisclosed vulnerabilities in PAN-OS 7.1 will never be patched.

Active Threat: Global Credential-Spraying Campaign

Since late 2025, a coordinated campaign has been targeting Palo Alto GlobalProtect portals worldwide:

• December 11, 2025: 1.7 million login attempts in 16 hours from 10,000+ IPs (GreyNoise)
• December 12, 2025: Campaign pivoted to Cisco SSL VPN (same infrastructure, same fingerprint)
• February 23, 2026: 11x spike — 30,000 sessions from 8,575 unique IPs (ELLIO)
• Primary source: 3xK GmbH infrastructure (Germany)
• Campaign status: Assessed as ongoing with rotating infrastructure
• Our portal is exposed: vpn.gsisg.com resolves to 98.147.1.83 and is actively reachable on port 443

Sources: BleepingComputer, Dark Reading, GreyNoise, SC Media, ELLIO, Palo Alto Networks.

The Password Reset Problem

When users are off-network and need to reset their AD password:

1. They must first manually connect to GlobalProtect VPN
2. The VPN portal is the credential-spraying target
3. After connecting, they reset their password (via helpdesk or self-service)
4. The process is manual, frustrating, and generates helpdesk tickets

Even with Microsoft SSPR (Self-Service Password Reset), there’s a critical limitation: Windows cached credentials do not update unless the machine has line-of-sight to a Domain Controller. Microsoft’s own documentation states:

“Microsoft Entra hybrid-joined machines must have network connectivity line of sight to a domain controller to use the new password and update cached credentials.”

This means SSPR alone cannot solve the problem — the machine needs DC connectivity to update the local Windows login password.