live.paloaltonetworks.com
Open in
urlscan Pro
3.160.150.11
Public Scan
URL:
https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184
Submission: On April 30 via api from IN — Scanned from DE
Submission: On April 30 via api from IN — Scanned from DE
Form analysis 2 forms found in the DOM
Name: form — POST https://live.paloaltonetworks.com/t5/tkb/v2_4/articlepage.searchformv32.form.form
<form enctype="multipart/form-data" class="lia-form lia-form-inline SearchForm" action="https://live.paloaltonetworks.com/t5/tkb/v2_4/articlepage.searchformv32.form.form" method="post" id="form" name="form">
<div class="t-invisible"><input value="blog-id/GlobalProtect_Articles/article-id/19" name="t:ac" type="hidden"><input value="search/contributions/page" name="t:cp" type="hidden"><input
value="f95fWS3bISBMohL87cNTon8WbMTXcn2aR-hX5TFii8Yk9O3lhK0F7LOC26XdUWIoZprIdsFZJQNCwfhj9zbowg9DYSWupiqVoSkOlKIjWfZ2E_4g-Dac13n7AlyQoQyjkzlZpNS0Fz2ysl6_9U9jebofkWeM3_WlGb_zZLXWujWZkmJcjXdNM5nGskTnhGoOtGYlbmEz3qaK5qjSQBYovAEzWOxvZYBAKsdUAHeq0sYbO4Kxu2IZTpvtkG23x4kgM-NbRIillRUSaLdE8Z4_ZIdCCZBBXVlZhj8PLel6qnZ-NkHo1csX4HoUDQaE_kihqTlh1YK0hpNZxCh7jNwhXs4nyRSoMvX6mfGATkyxSYlogJ27NUERGUIBtApOmeETXnLlTSgpzyuuJE-7mOgNhlxS9e32SJrtaMmCg_P5ne0_u0gNV5CG1o1TcasMi0jB7efGCTDU49kMjvZPRxB_-9V3LOIA0zYDJU-uVQqd7B8l-mJwZD8ANW6fR0XCV9ifnlNCt3vR3t_pEWrLtbcKuYOjNFChmY27qxGC6cGXwGIW9RNoUmUE2e-z4UoP9yOg90cP6szw1T0vfBVXN7QR93MNhneFSvm5KAMI1cJX7RpMY-QmICkjDXXfUhOvfYzxwj5daKk22H8W_c3BY4yZApQX-Du2d60B9jOG2VD3RDvs9IA6wVS3aYkZm5shAwZymFsk4KTNHXEPxBWYwVJLU5yq82fSSiDzsYIkxmPKJ5g_mkWv3qBWBDNlDJuFpiK_dZDSrdsE0j3ysh0tq8ruCVe6PmnSgYbp0gcHiOFW1KKT7MSbhm9O59X0GQcjsrUmFds9wzoUlCu95SVK36Vus44s05NLeLkgsDSQpUrDrG6CET6j4BuaTZAdn4l_ANJI-7TLq2oFZwKR1Ibpr0ru8RGVMJoZSBhfBQrRPnZmNR8F22bqv0CmHBGpGxWR5mnx8OXnesc0PR6rgra3evb_BpfmWgqFcBL_joLsBOuX1Q8Iv-X1lIh3VDGV6AnIb7TfTYEbZs73qKCBDaUS5Kmz7gXtD357mcSYOecCApYxXKnxdvjMOAr2FDGUdUYYgm39B5mWBuU4LwvrPYPwJp63V2zWUY4dBHiC6n2ujh56Y3a2VUtZ50fzZbFKxs7lqO56EY_XztstFyEZO-PpOYQoWYELRtjouj7k4r2scFcWp4_pEeWRNOi7p-WVcY6cj8t_2WzC-TppIpjZAQwZtHH_7bOz9otB1C9XfWaFQJIUcR4."
name="lia-form-context" type="hidden"><input value="TkbArticlePage:blog-id/GlobalProtect_Articles/article-id/19:searchformv32.form:" name="liaFormContentKey" type="hidden"><input
value="5DI9GWMef1Esyz275vuiiOExwpQ=:H4sIAAAAAAAAALVSTU7CQBR+krAixkj0BrptjcpCMSbERGKCSmxcm+kwlGrbqTOvFDYexRMYL8HCnXfwAG5dubDtFKxgYgu4mrzvm3w/M+/pHcphHQ4kI4L2dMo9FLYZoM09qbeJxQ4V0+XC7e/tamqyBPEChwgbh1JAjQtLIz6hPaYh8ZlEMaxplAvm2KZmEsm0hhmBhOKpzZzOlsEw8LevR5W3zZfPEqy0oJIYc+eCuAyh2rolfaI7xLN0I8rjWfWBj7CuzJvf5osmbxRN3hacMimNwHRtKSOr0XNnv/vx+FoCGPjhMRzljhNLYHrEt9kA5T08ACCsKvREoYuqxqLl8BLO84q4UcMITcG49y/QOGs1pYyESl5p6V6qwRW086rinVmoxMZsiZud/zBUTc6gmVc4kExkJafmcYG1GM9+wfIsCkf2OP54hal5EjnG54z8h0XhjfcF7wQUs5Kz0GTjU2rOjc/llTT4Au07pDOcBQAA"
name="t:formdata" type="hidden"></div>
<div class="lia-inline-ajax-feedback">
<div class="AjaxFeedback" id="feedback"></div>
</div>
<input value="uRiXX2esX1g9jCY_lqZyTV9CmjBxAwfOEZqCvvUognA." name="lia-action-token" type="hidden">
<input value="form" id="form_UIDform" name="form_UID" type="hidden">
<input value="" id="form_instance_keyform" name="form_instance_key" type="hidden">
<span class="lia-search-granularity-wrapper">
<select title="Search Granularity" class="lia-search-form-granularity search-granularity" aria-label="Search Granularity" id="searchGranularity" name="searchGranularity">
<option title="All community" selected="selected" value="twzvq79624|community">All community</option>
<option title="This category" value="GlobalProtect|category">This category</option>
<option title="Articles" value="GlobalProtect_Articles|tkb-board">Articles</option>
<option title="Users" value="user|user">Users</option>
<option title="Products" value="product|product">Products</option>
</select>
</span>
<span class="lia-search-input-wrapper">
<span class="lia-search-input-field">
<span class="lia-button-wrapper lia-button-wrapper-secondary lia-button-wrapper-searchForm-action"><input value="searchForm" name="submitContextX" type="hidden"><input class="lia-button lia-button-secondary lia-button-searchForm-action"
value="Search" id="submitContext" name="submitContext" type="submit"></span>
<span class="lia-hidden-aria-visibile" id="autocompleteInstructionsText" role="alert"></span><input placeholder="Search this content" aria-label="Search" title="Search"
class="lia-form-type-text lia-autocomplete-input search-input lia-search-input-message" value="" id="messageSearchField_0" name="messageSearchField" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="NNvDMoM1z2LCueOUhkOz7h2FdJ3YznKu8owSq_aElZQ." rel="nofollow" id="disableAutoComplete_6d9c4c3df3a2c9" href="https://live.paloaltonetworks.com/t5/tkb/v2_4/articlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/GlobalProtect_Articles/article-id/19&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<span class="lia-hidden-aria-visibile" id="autocompleteInstructionsText_0" role="alert"></span><input placeholder="Search this content" aria-label="Search" title="Search"
class="lia-form-type-text lia-autocomplete-input search-input lia-search-input-tkb-article lia-js-hidden" value="" id="messageSearchField_1" name="messageSearchField_0" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="jZJAR-dVtepZ-lwIvwx34i0m5EZVp9UslM-8bUf7UX8." rel="nofollow" id="disableAutoComplete_6d9c4c3e18d969" href="https://live.paloaltonetworks.com/t5/tkb/v2_4/articlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/GlobalProtect_Articles/article-id/19&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<span class="lia-hidden-aria-visibile" id="autocompleteInstructionsText_1" role="alert"></span><input placeholder="Search community members" ng-non-bindable="" title="Enter a user name or rank"
class="lia-form-type-text UserSearchField lia-search-input-user search-input lia-js-hidden lia-autocomplete-input" aria-label="Enter a user name or rank" value="" id="userSearchField" name="userSearchField" type="text"
aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a user name or rank</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="L8u3z82MhiUYbfzfbA2NFefiHknooiuEZNSYXIotOpw." rel="nofollow" id="disableAutoComplete_6d9c4c3e32bdf6" href="https://live.paloaltonetworks.com/t5/tkb/v2_4/articlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/GlobalProtect_Articles/article-id/19&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<span class="lia-hidden-aria-visibile" id="autocompleteInstructionsText_2" role="alert"></span><input placeholder="Enter a keyword to search within the private messages" title="Enter a search word"
class="lia-form-type-text NoteSearchField lia-search-input-note search-input lia-js-hidden lia-autocomplete-input" aria-label="Enter a search word" value="" id="noteSearchField_0" name="noteSearchField" type="text" aria-autocomplete="both"
autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="Ugw4mLBTdr6DK-pSGhEdIL-_tCjNpqHFD6ikWwhg5t0." rel="nofollow" id="disableAutoComplete_6d9c4c3e4e8841" href="https://live.paloaltonetworks.com/t5/tkb/v2_4/articlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/GlobalProtect_Articles/article-id/19&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<span class="lia-hidden-aria-visibile" id="autocompleteInstructionsText_3" role="alert"></span><input title="Enter a search word"
class="lia-form-type-text ProductSearchField lia-search-input-product search-input lia-js-hidden lia-autocomplete-input" aria-label="Enter a search word" value="" id="productSearchField" name="productSearchField" type="text"
aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="OSVYHmpPBnD3AaxrubDi6_CZ2GUU6UWYjPYhycI8iBk." rel="nofollow" id="disableAutoComplete_6d9c4c3e6619af" href="https://live.paloaltonetworks.com/t5/tkb/v2_4/articlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/GlobalProtect_Articles/article-id/19&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input class="lia-as-search-action-id" name="as-search-action-id" type="hidden">
</span>
</span>
<span class="lia-cancel-search">cancel</span>
</form><form id="any_0" class="lia-rating-control-type-star">
<meta>
<meta>
<div class="ui-stars-star ui-stars-star-on ui-stars-star-disabled" style="width: 8px;"><a title="" style="margin-left: 0px;">0.5</a></div>
<div class="ui-stars-star ui-stars-star-on ui-stars-star-disabled" style="width: 8px;"><a title="" style="margin-left: -8px;">1.0</a></div>
<div class="ui-stars-star ui-stars-star-on ui-stars-star-disabled" style="width: 8px;"><a title="" style="margin-left: 0px;">1.5</a></div>
<div class="ui-stars-star ui-stars-star-on ui-stars-star-disabled" style="width: 8px;"><a title="" style="margin-left: -8px;">2.0</a></div>
<div class="ui-stars-star ui-stars-star-disabled" style="width: 8px;"><a title="" style="margin-left: 0px;">2.5</a></div>
<div class="ui-stars-star ui-stars-star-disabled" style="width: 8px;"><a title="" style="margin-left: -8px;">3.0</a></div>
<div class="ui-stars-star ui-stars-star-disabled" style="width: 8px;"><a title="" style="margin-left: 0px;">3.5</a></div>
<div class="ui-stars-star ui-stars-star-disabled" style="width: 8px;"><a title="" style="margin-left: -8px;">4.0</a></div>
<div class="ui-stars-star ui-stars-star-disabled" style="width: 8px;"><a title="" style="margin-left: 0px;">4.5</a></div>
<div class="ui-stars-star ui-stars-star-disabled" style="width: 8px;"><a title="" style="margin-left: -8px;">5.0</a></div><input type="hidden" name="" value="2.0" disabled="">
</form>Text Content
This website uses Cookies. By clicking Accept, you agree to the storing of
cookies on your device to enhance your community experience. Read our Privacy
Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
* Register
* ·
* Sign In
* ·
* FAQs
(English) USA
(English) USA
(简体中文) China
(日本語) Japan
(한국어) Korea
(繁體中文) Taiwan
* Get Started
News & Events
Events
Ignite Conference
News
Welcome Guide
LIVEcommunity Support Info
FAQ
* Discussions
Network Security
Next-Generation Firewall Discussions
VM-Series in the Public Cloud
VM-Series in the Private Cloud
CN-Series Discussions
AIOps for NGFW Discussions
Panorama Discussions
GlobalProtect Discussions
Cloud NGFW Discussions
Cloud Delivered Security Services
Threat & Vulnerability Discussions
Endpoint (Traps) Discussions
Enterprise Data Loss Prevention Discussions
Next-Generation CASB Discussions
IoT Security Discussions
Secure Access Service Edge
Prisma Access Discussions
Prisma Access Insights Discussions
Prisma Access for MSPs and Distributed Enterprises Discussions
Prisma Access Cloud Management Discussions
Prisma SD-WAN Discussions
Prisma SD-WAN CloudBlades Discussions
Prisma SD-WAN AIOps Discussions
Autonomous DEM Discussions
Cloud Native Application Protection
Prisma Cloud Discussions
Cloud Identity Engine Discussions
Security Operations
Cortex XDR Discussions
Cortex XSOAR Discussions
Cortex Xpanse Discussions
Cortex XSIAM Discussions
General Topics
Custom Signatures
VirusTotal
* Blogs
Community Blogs
Engineering Blogs
* Articles
* Products
Network Security
GlobalProtect
Next-Generation Firewall
Cloud NGFW for AWS
Cloud NGFW for Azure
AIOps for NGFW
Strata Cloud Manager
Strata Logging Service
Getting Started With VM-series
Private Cloud
Oracle Cloud Infrastructure
Alibaba Cloud
AWS
GCP
Azure
CN-Series
Panorama
Threat Prevention Services
SSL Decryption
App-ID
Content-ID
User-ID
5G
Cloud Delivered Security Services
Next-Generation CASB
IoT Security
Enterprise Data Loss Prevention
Secure Access Service Edge
Prisma Access
Prisma Access Insights
Autonomous Digital Experience Management
Prisma Access Cloud Management
Prisma Access for MSPs and Distributed Enterprises
Prisma SD-WAN
Prisma SD-WAN CloudBlades
Prisma SD-WAN AIOps
Cloud Native Application Protection
Prisma Cloud
Cloud Identity Engine
Security Operations
Cortex XDR
Cortex XSOAR
Cortex Xpanse
Cortex XSIAM
Hub
* Tools
Integration Resources
App for QRadar
Cloud Integration
Expedition
HTTP Log Forwarding
Maltego for AutoFocus
* Education Services
Certification
Instructor-Led Training
Digital Learning
Education Services Help Center
Education Services Upcoming Events
Education Services Articles
* Member Recognition
Spotlight News
Member Spotlights
Member Testimonials
Cyber Elite Program
* Podcasts
PANCast™
PANCast™ Episodes
PANCast™: Episode Ideas Submission
Threat Vector
* * Customer
* Partner
* Employee
UNLOCK YOUR FULL COMMUNITY EXPERIENCE!
* Access exclusive content
* Connect with peers
* Share your expertise
* Find support resources
Sign In- or -RegisterNeed Login Assistance?
APPLYING VULNERABILITY PROTECTION TO GLOBALPROTECT INTERFACES
All communityThis categoryArticlesUsersProducts
Enter a search word
Turn off suggestions
Enter a search word
Turn off suggestions
Enter a user name or rank
Turn off suggestions
Enter a search word
Turn off suggestions
Enter a search word
Turn off suggestions
cancel
Turn on suggestions
Showing results for
Show only | Search instead for
Did you mean:
Announcements
Please sign in to see details of an important advisory in our Customer
Advisories area.
* LIVEcommunity
*
* Products
*
* Network Security
*
* GlobalProtect
*
* GlobalProtect Articles
*
* Applying Vulnerability Protection to GlobalProtect Interfaces
Options
* Subscribe to RSS Feed
*
* Mark as New
* Mark as Read
*
* Printer Friendly Page
APPLYING VULNERABILITY PROTECTION TO GLOBALPROTECT INTERFACES
maurisy
L4 Transporter
Options
* Mark as New
*
* Subscribe to RSS Feed
*
* Permalink
* Print
on 07-22-2020 03:59 PM - edited on 04-24-2024 10:11 AM by JayGolf
73% helpful (8/11)
Summary
This document discusses the configuration steps for applying a vulnerability
protection security profile to GlobalProtect interface, in order to protect the
GlobalProtect services from attacks using published product security
vulnerabilities.
Background
In customer deployments that use GlobalProtect for remote access, customers
often configure and apply security profiles such as vulnerability protection to
network traffic between VPN clients and internal network zones.
There are also certain circumstances where a customer may want to apply a
vulnerability protection profile to traffic hitting the GlobalProtect portal and
gateway services, which are served by the firewall and not just traffic going
through the firewall into the network. For example, there may be situations
where a customer wants to block attempted attacks before they are able to
upgrade PAN-OS to a patched version. This can be accomplished by applying a
properly configured vulnerability protection profile to a firewall rule that is
configured to apply to traffic hitting the GlobalProtect portal and gateway
services hosted by the firewall.
Note 1: 4/14/2024: A hotfix for each of the PAN-OS versions (10.2, 11.0, 11.1)
affected by CVE-2024-3400 is now available in the Customer Support Portal (CSP)
and inside PAN-OS (both NGFWs and Panorama). An ETA for other commonly deployed
versions of PAN-OS is available on the product security advisory for
CVE-2024-3400. It is recommended to apply this hotfix and also complete the
mitigations recommended in the advisory.
Note 2: This document uses CVE-2024-3400 as an example in this how-to guide,
where vulnerability protection signature #95187 was released in content version
8833-8682, released on 4/11/2024 to detect and prevent attempted attacks. The
vulnerability affected GlobalProtect portal and gateway services. This document
assumes that the firewall is already configured and used as a GlobalProtect
portal and/or gateway service.
Configuration Steps:
Step 1: Ensure that you have the latest content update installed that includes
the relevant threat protection
* Make sure the content version that you are running includes the threat
signature(s) that need to be applied to the GlobalProtect interfaces in order
to block the attack.
* In the example used in this document, the minimum content version required is
8833-8682, which was released on 4/11/2024.
Step 2: Determine the correct zone for GP portal and GP gateway
* If a GP Portal is configured, go to Network > GlobalProtect > Portals and
find the portal and associated interface. In the example below, you will see
we are using GP-Auto-Portal1 as an example. The interface that the portal
connects to is shown to be ethernet1/1.
* Determine the associated zone for the GlobalProtect portal that includes the
interface found in the previous step.
Go to Network > Interfaces > Ethernet. In the example below, we can see that
interface ethernet1/1 is in GP-untrust zone.
* If a GlobalProtect gateway is configured, go to Network > GlobalProtect >
Gateways and find the gateway and associated interface. In the example below,
you will see we are using GP-GW1 as an example. The interface is loopback.1.
* Determine the zone associated with the GlobalProtect gateway. Go to Network >
Interfaces > Loopback. We can see that interface loopback.1 is also in
GP-untrust zone. Now we know the zone for the portal and gateway, which we
need to protect with a vulnerability protection profile.
Step 3: Modify or Create a New Vulnerability Protection Profile
Configure a new or existing vulnerability profile that is specifically
configured to block the relevant threat impacting the GlobalProtect services. Go
to Objects > Security Profiles > Vulnerability Protection. We recommend as a
best practice to simply set the blocking action of “reset-server” for all
critical severity signature triggers.
* Alternatively, you can add an exception specifically for the relevant
signature (#95187 in this case) to configure the reset-server action for this
signature when it triggers (see below).
Step 4: Modify or create a firewall security rule
After modifying or creating a new vulnerability protection object, verify what
security policies were in place to protect GlobalProtect services, and add newly
created Vulnerability Protection Profile. If you already have a customized /
Best Practices Profile attached to your security policy, please go back to Step
3 and amend your existing Vulnerability Protection Profile instead of creating a
new one.
If you did not have an existing security policy and rule in place, then go ahead
and create a security rule to apply the vulnerability protection profile to. Go
to Policies > Security. Create a new policy. In this example, we name it
“block_gp_vulnerability.” The source zone should be “any” and the destination
zone is the GlobalProtect gateway and/or GlobalProtect portal zones we found in
step 1. Assign to this rule the Vulnerability Protection Profile you modified or
created in step 3. Please make sure that the rest of the the applied policy and
security policies follow our best practices guides.
Step 5: Commit
Commit the changes to apply the new Vulnerability Protection Profile to the
Security Rule protecting the GP Portal and/or Gateway. Any attempted attacks
against the GlobalProtect services that attempt to use this specific
vulnerability will be blocked and logged in the threat log.
FAQ:
Is GlobalProtect enabled?
* You can verify by checking for entries in your firewall web interface
(Network > GlobalProtect)
Am I compromised?
* You can upload a technical support file (TSF) to Customer Support Portal
(CSP) after opening a case to determine if your firewall device(s) match(es)
known indicators of compromise (IoC).
What do I need to do?
* Review the output of technical support file (TSF) analysis (see above
question) to understand the level of attempted exploitation and remediation
steps provided in the Unit 42 Threat Brief for CVE-2024-3400.
* As a best practice, we strongly recommend all customers apply the Threat
Prevention signature with Threat ID 95187 and 95189 (available in
Applications and Threats content version 8835-8689 and later), and
apply vulnerability protection to their GlobalProtect interface.
* After completing above steps we strongly recommend installing the hotfix
listed in the advisory for your impacted PAN-OS devices.
Is Prisma Access or Cloud NGFW impacted by this vulnerability?
* Prisma Access and Cloud NGFW are not impacted by this vulnerability.
What PAN-OS versions are affected?
* This affects PAN-OS versions 10.2 and greater.
* Hotfixes are released for PAN-OS 10.2, 11.0 and 11.1 branches. Please refer
to the security advisory for more information.
Is disabling telemetry an effective mitigation strategy?
* In earlier versions of the advisory, disabling device telemetry was listed as
a secondary mitigation action. Disabling device telemetry is no longer an
effective mitigation. Device telemetry does not need to be enabled for PAN-OS
firewalls to be exposed to attacks related to this vulnerability.
How can I look for IoCs and research a potential compromise?
* Please refer to the Unit42 Threat Brief
(https://unit42.paloaltonetworks.com/cve-2024-3400/) and the Volexity blog
post
(https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execut...)
for the latest information.
I applied the hotfix; how can I confirm I’m now “clean”?
* Before rebooting into the hotfix it is recommended that you take a TSF and
upload for analysis on any level of compromise and take the recommended
remediation actions if appropriate
* After remediating if needed, upgrading and booting into the hotfix, you can
verify that you are running the fixed version of code by running the “show
system info” CLI command and checking the sw-version field against what
is published as fixed in the CVE.
* You can upload the new TSF for analysis and confirmation that no further
indicators of compromise are seen from the upgraded device.
Additional Resources on CVE-2024-3400:
* Security Advisory Page
* Knowledge Base Article
* UNIT42 on CVE-2024-3400
* More on CVE-2024-3400
Labels:
* GlobalProtect
* GlobalProtect-COVID19
* GlobalProtect-Resources
* NGFW Configuration
* globalprotect
* GlobalProtect-Resources
* gp
* strata
* threat prevention
* Threat Protection
* vulnerability
* vulnerability protection
Rate this article:
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
4.5
5.0
(4)
4 Likes Likes
* Back to Articles
* Next
Comments
BYUNGKWON-LEE
L1 Bithead
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 12:51 AM
I upgraded to version 8833, but signature ID 95187 is not visible.
cciwa-admin
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 01:06 AM
Yep, it was not there.
ipohlschneider
L1 Bithead
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 01:14 AM
Same here
SomeSuch
L1 Bithead
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 01:16 AM
I confirm, ThreatID 95187 not present in content update 8833-8682
B.Yeung
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 01:17 AM
upgraded to 8833-8682, cannot find 95187
michelealbrigo
L3 Networker
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 01:21 AM
95187 is in the release notes, but searching for it in the profile editing
section yields no results.
RyanMinty
L1 Bithead
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 01:24 AM
Same issue as the above users 95187 is missing.
BYUNGKWON-LEE
L1 Bithead
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 01:30 AM
app only shows the signature. However, the signature for app+threat is not
visible.
hien.vo
L1 Bithead
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 02:09 AM
Same issue there is no 95187 in PAN-OS content update 8833-8682
chagberg
L1 Bithead
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 02:19 AM
it is visible in CLI, but not gui
show threat id 95187
This signature detects malicious payload in HTTPS request.
critical
Unknown
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention
Gustor
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 02:19 AM
Apparently none of the new vulnerability signatures added to content
release 8833 are visible, not only signature ID 95187.
Is everybody experiencing this same issue?
Gustor
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 02:32 AM
I found the following article about missing threat ID's:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U27CAE
B.Yeung
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 02:38 AM
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U27CAE
I follow this article to use cli to add, although after added gui still not seen
95187, but total exceptions increase one.
Gurminder_Birdee
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 02:43 AM
anyone know why threat id 95187 is showing threat name 'Malicious HTTPS Request
Detection' and not related to the actual command injection vulnerability ?
BYUNGKWON-LEE
L1 Bithead
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 02:48 AM
I reverted the app and deleted 8833, then downloaded the app again and
reinstalled it to solve the problem.
bachtiar.adiguna
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 02:50 AM
Yeah, I think we all have same problem here, after updating the threat & apps,
we couldn't find the Threat ID 95187, it's strange, pls let me know if there's
an update
GarethBulleyGarethBulley
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 03:21 AM
same issue with 95187 not showing
chagberg
L1 Bithead
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 03:32 AM
did the same as @BYUNGKWON-LEE, and it now shows up in GUI.
JonasBeckerSOM
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 03:54 AM
same here, 95187 not showing
itassetbenilde
L1 Bithead
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 03:57 AM
same
MikeGeo
L1 Bithead
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 04:25 AM
Same issue here. Signatures from this release not showing in GUI. Even though
content version confirmed installed. Even tried to revert delete download and
install again with the same result. Come on Palo!!
Stefan.s
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 04:39 AM
@chagberg or @BYUNGKWON-LEE can you please share more in detail what you did? I
tried it, but must have missed something, didn't work for me..
tarapitha
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 04:40 AM
ID 95187 was not there right after applying 8833-8682, it took couple of minutes
for it to appear in the list.
chagberg
L1 Bithead
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 04:44 AM
I pushed first from Panorama.
It did not appear in the list but was visible in CLI.
Reverted to the previous one, and deleted 8833 on the FW.
Installed 8833 through CLI after running a "request content upgrade check" by
running "request content upgrade download latest " and then "request content
upgrade install latest "
It now appeared in GUI immediately.
chagberg
L1 Bithead
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 04:46 AM
just got this from support
"If you are following TID protection based approach, please be aware of the
following:
You may not see the TID when you check from the vulnerability profile in GUI due
to a PAN-OS issue."
Stefan.s
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 04:49 AM
@chagberg Thanks.
MikeGeo
L1 Bithead
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 05:04 AM
@chagberg Thanks!!! This worked for me!!!
For others… downgrading, deleting, downloading again, installing again didn’t
fix this signature not displaying in GUI but the CLI steps provided did!!
RLANG_2019
L1 Bithead
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 05:20 AM
They are there you have to go to the exceptions tab and check "show all
signatures". You will then be able to see it.
HSDTechs
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 05:30 AM
Signature is not visible in the GUI
PANcake
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 05:32 AM
After installing the content update, the ID didn't show up on the GUI. Later I
checked if it's shown on the CLI, show threat id 95187, and there it was. After
CLI checkup it was also visible on the GUI. I don't know if CLI check populated
it to the GUI, or if it came visible on GUI by itself, since there was few hours
between update install and the moment I checked later.
SomeGuy1000
L1 Bithead
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 05:41 AM
I guess I am not super clear here, isn't this creating an any any rule and
allowing traffic? would setting the action to drop and applying the profile
achieve the same thing? Or at least specifying the globalprotect portal IP in
the destination?
Hsingh
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 05:49 AM
Hi Everyone,
If threat ID 95187 is still not showing after installing the Applications and
Threats content version 8833-8682, please try logging out and logging back in,
opening incognito mode, or restarting your management server.
How to Restart the Management server "mgmtsrvr" Process
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaGCAS
Regards,
Harpreet Singh
Gustor
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 05:57 AM
i just waited a few hours and now the threat ID 95187 is showing up in the
vulnerability protection profile under exceptions with "show all signatures".
i did use the CLI command earlier to show the threat ID but that didn't have any
effect in the webUI as far as i know.
So patience is the key here?
PS.
It would be nice if PaloAlto Networks moderated or monitored this community and
provided help and feedback on issues like this.
JonasBeckerSOM
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 06:04 AM
log off and login worked for me to get 95187 visible
HSDTechs
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 06:06 AM
@hsingh Thanks... should have thought to do this.
KuehnAnd
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 06:08 AM
I don´t see this threat ID 95187 in the gui of PANOS version 10.2.8 but i can
see it in version 10.1.12.
But when i use the cli command: show threat id 95187, i can see that this threat
id is known by version 10.2.8 also.
CedricLeclere
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 06:39 AM
same issue here, we can find it on our Palo but can't apply by Panorama. but we
can see it on CLI....
Palo wake up please
pmauretti
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 06:51 AM
@Gustor
Do you think Palo Alto can afford to pay someone to moderate? They are just a
small $90B company (top 100 in the US) after all.
Content is showing update here. Make sure you are showing all signatures and
search by threat ID:
n230fs
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 06:57 AM
@chagberg I had to follow that same process to get it to work. Thanks!
jpage386
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 07:26 AM
Hi,
I found I had to close out of all browser windows and re-launch the GUI and then
the app was there. Must have been some sort of caching issue.
Claw4609
L4 Transporter
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 07:30 AM
Since I think it should be added here. Heres whats listed on the support
portal:
Threat ID not seen after upgrading to the latest content version - 8833-8682 to
remediate CVE-2024-3400.
This is due to the PANOS issue impacting all PANOS above 10.2.X.
The workaround is to use the below CLI command from config mode to check the
Threat ID -
>config
# show predefined threats vulnerability 95187
95187 {
threatname "Malicious HTTPS Request Detection";
}
To configure the vulnerability profile, use severity "Critical" in the
vulnerability profile from GUI, which will include TID 95187.
ddenayer
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 07:31 AM
Anyone that follows step 4 is probably going to make things worse as it will
remove any protections already in the Firewall policy. If you are already
following the best practices and have your firewalls grabbing content updates
regularly this is a non-issue.
Caveman
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 08:16 AM
@SomeGuy1000 I had the same thoughts... It ultimately needs to apply to whatever
rule you're allowing GP access I think. I have a zero trust for my WAN so I have
to allow globalprotect explicitly, I will be adding the vulnerability profile
here. Which I should have been from the start anyway.
AJS_Justin
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 08:45 AM
Seeing lots of comments where new threat isnt visible, I had the same problem,
logout did not resolve it. I ran the content update again via CLI and it did
come through finally.
request content upgrade install sync-to-peer yes commit yes version latest
jocelynsloan
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 11:10 AM
Do we configure step 4 as an Allow rule because the malicious traffic gets
blocked by the security profile settings?
I'm a little confused why it is not a Deny rule (I don't want to block all my GP
traffic, just the malicious stuff).
ddenayer
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 11:11 AM
@SomeGuy1000 Security Profiles are only applicable to allow rules. Security
Profiles have no bearing on what traffic hits the actual firewall policy, just
what additional inspection the firewall does with the traffic once it matches a
policy. What you should already have is a Firewall policy that allows traffic to
the GlobalProtect interface or IP specifically and that policy should have a
Security Profile Already associated with it that correlated to the Best
Practices provided by Palo Alto. If that is being done (as it already should be)
and you are doing content updates (dynamic updates) on a regular schedule, also
provided through Best Practices. Then this vulnerability will have already been
mitigated.
ddenayer
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 11:16 AM
@jocelynsloan Security Profiles are what the firewall does with traffic after it
takes the policy action of allow. Refer to my previous comment for what the best
actions for this specific vulnerability are in a live environment. Palo Alto's
guidance is good, but talk about this vulnerability in a vacuum, whereas the
solution in a live environment is going to be very different for Step 4. Really
all of this guidance only complicates the tasks for anyone that needs the
guidance.
Matheus_Doria
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 11:26 AM
I did the update in GUI and the ID 95187 didn't appear.
So I installed it again from CLI (without uninstalling):
command: request content upgrade install file panupv2-all-contents-8833-8682.tgz
Then 95187 appeared in the GUI.
JimWeston
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 12:18 PM
@SomeGuy1000 That is what I was thinking as well. The wording of this guide is
really bad and why are they using version 9.x screenshots??? Come on Palo Alto,
this is poor.
DevalS
L0 Member
* Mark as Read
* Mark as New
*
* Permalink
* Print
04-12-2024 12:35 PM
All,
I am trying to go through this document, I am stuck on Step2. While creating the
Vulnerability protection profile how does this applies to GlobalProtect
Interface? I could not find that piece here. Can someone please explain?
TIA.
* Previous
* * 1
* 2
* Next
* 127476 Views
* 74 comments
* 4 Likes
Related Content
* GlobalProtect App Log Collection and Troubleshooting FAQ in GlobalProtect
Articles 03-03-2021
* Troubleshooting GlobalProtect MTU Issues in GlobalProtect Articles 02-17-2021
* GlobalProtect: Initial Set Up in GlobalProtect Articles 04-10-2020
* GlobalProtect: Implement Split Tunnel Domain and Applications in
GlobalProtect Articles 03-17-2020
Recommendations
* BETREFF: APPLYING VULNERABILITY PROTECTION TO GLOBALPROTECT INTERFACES
* VULNERABILITY PROTECTION
* VULNERABILITY PROTECTION STRICT PROFILE BPA CHECKS
* VULNERABILITY PROTECTION LOW INFORMATIONAL BPA CHECKS
* APPLYING DIFFERENT HIP CHECKS TO DIFFERENT GLOBAL PROTECT APP GROUPS
* STEPS TO APPLY MICROSOFT PATCH TO ADDRESSED MELTDOWN AND SPECTRE
VULNERABILITY ON TRAPS AGENTS
* VIEWING HOST VULNERABILITIES IN AZURE KUBERNETES SERVICE CLUSTERS
Contributors
* maurisy
* JayGolf
* kiwi
* jennaqualls
Labels
* ESXi 1
* GlobalProtect 16
* GlobalProtect App 1
* GlobalProtect-COVID19 12
* GlobalProtect-Resources 9
* Layer 3 1
* NGFW Configuration 11
* Prisma Access 1
* PrismaAccess-COVID19 1
* VM-Series 1
Article Dashboard
* Article History
Version history
Last Updated:
04-24-2024 10:11 AM
Updated by:
JayGolf
COMPANY
* About Palo Alto Networks
LEGAL NOTICES
* Privacy Policy
* Terms of Use
RESOURCES
* Community Blogs
* Community Help
* Beacon
* Knowledge Base
* Techdocs
Copyright 2007 - 2024 - Palo Alto Networks
Auto-suggest helps you quickly narrow down your search results by suggesting
possible matches as you type.