To test this feature, visit your live site.

Vulnerability found on Firewall Need to address

Hi Team, We are getting following vulnerabilities on one of our PA Firewall. Kindly suggest the next PoA regarding mentioned vulnerabilities.

Plugin Plugin Name Family Severity IP Address Type

84502 HSTS Missing From HTTPS Server Web Servers Medium x.x.x.x Palo Alto

Kindly review and share us with your inputs. Awaiting for response !! Best Regards, Sahul Hameed

10 comments

Comments (10)

Unknown member

Feb 04, 2021

@sahul.hameed I saw you had the question posted on the Live community as well.

One person stated that the JQuery issue was to be resolved in 9.1.8. Not sure how they know that, but it looks like release notes only go to 9.1.7

Reaper

Feb 04, 2021

Replying to

It's "queued up" for the next release

Reaper

Feb 04, 2021

I received this information from an internal resource at PAN, this appears to have been found and fixed internally, so no external documentation as far as I have found

Reaper

Feb 03, 2021

9.1.5 has a fix as well

sahul.hameed

Feb 04, 2021

Replying to

Hi Reaper,

Thanks for your inputs. As we have tried by doing the above step in the current software code (i.e. 9.1.3-h1) however we have the noticed the same issue.

Will try by upgrading the firewall to 9.1.5 to see whether it helps us on this.

Also can you please share me with the reference document that points this point that HSTS issue was resolved in 9.1.5 software code. This will help us for reference.

Best Regards,

Sahul Hameed

sahul.hameed

Feb 03, 2021

Hi Reaper,

It was scanned on MGMT Interface and this HSTS vulnerability is noticed. So what i have understood from your response is that,

If we try to create a certificate for that MGMT interface IP with strong encryption algorithm (i.e. For eg ECDSA) and then configure a SSL/TLS profile with a minimum version set to TLS 1.2 and then map this SSL/TLS profile on the Management configuration of the Firewall is this correct. if not, please correct if my understanding is wrong or i have misunderstood.

Awaiting for your reply !!

Scanner used --> Nessus Vulnerability Scanner

Best Regards,

Sahul Hameed

Reaper

Feb 03, 2021

Replying to

your understanding is right, i'm hopeful that will resolve your issue

Reaper

Jan 30, 2021

Hi Sahul The issue you reported is documented as a problem in GlobalProtect and was fixed in PAN-OS 8.0.8 Since you did not provide much details, i have to guess what would be a good next step for you ;) If it's the management interface, make sure a strong server certificate is importer and then create an ssl/tls server profile with the certificate and 'minimum version' set to tls 1.2

Reaper

Jan 30, 2021

Which version of PAN-OS are you on and which 'portal' is reporting this (gp, management,...) You may need to upgrade your firewall, have you reviewed release notes? https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-release-notes.html https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-release-notes.html https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes.html

sahul.hameed

Jan 30, 2021

Replying to

Customer is running in PAN OS 9.1.3-h1 version on their Firewall.

I think Its reported on Management Interface of the Firewall.

What is the purpose for upgrading the Firewall. Please clarify us !!

Best Regards,

Sahul Hameed

Forum: Forum