https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184 <P><STRONG>Summary</STRONG></P> <P>This document discusses the configuration steps for applying a vulnerability protection security profile to GlobalProtect interface, in order to protect the GlobalProtect services from attacks using published product security vulnerabilities.</P> <P>&nbsp;</P> <P><STRONG>Background</STRONG></P> <P>In customer deployments that use GlobalProtect for remote access, customers often configure and apply security profiles such as vulnerability protection to network traffic between VPN clients and internal network zones.&nbsp;</P> <P>&nbsp;</P> <P>There are also certain circumstances where a customer may want to apply a vulnerability protection profile to traffic hitting the GlobalProtect portal and gateway services, which are served by the firewall and not just traffic going through the firewall into the network. For example, there may be situations where a customer wants to block attempted attacks before they are able to upgrade PAN-OS to a patched version. This can be accomplished by applying a properly configured vulnerability protection profile to a firewall rule that is configured to apply to traffic hitting the GlobalProtect portal and gateway services hosted by the firewall.</P> <P>&nbsp;</P> <P><STRONG>Note 1:</STRONG> <SPAN>4/14/2024: A hotfix for each of the PAN-OS versions (10.2, 11.0, 11.1) affected by&nbsp;CVE-2024-3400 is now available in the Customer Support Portal (</SPAN><STRONG><A href="https://support.paloaltonetworks.com/Updates/SoftwareUpdates/" target="_blank" rel="noopener" data-saferedirecturl="https://www.google.com/url?q=https://support.paloaltonetworks.com/Updates/SoftwareUpdates/&amp;source=gmail&amp;ust=1713249852722000&amp;usg=AOvVaw29BBKXvJyZJ93MEpyHWvKG">CSP</A></STRONG><SPAN>) and inside PAN-OS (both NGFWs and Panorama). An ETA for other commonly deployed versions of PAN-OS is available on the product security advisory fo</SPAN>r <STRONG><A href="https://security.paloaltonetworks.com/CVE-2024-3400" target="_blank" rel="noopener" data-saferedirecturl="https://www.google.com/url?q=https://security.paloaltonetworks.com/CVE-2024-3400&amp;source=gmail&amp;ust=1713249852722000&amp;usg=AOvVaw0h2yo1Bz7MTwX1GDejNxUf">CVE-2024-3400</A></STRONG>.<SPAN> It is recommended to apply this hotfix and also complete the mitigations recommended in the advisory.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG>Note 2:</STRONG> This document uses <SPAN>CVE-2024-3400</SPAN> as an example in this how-to guide, where vulnerability protection signature #<SPAN>95187</SPAN> was released in content version <SPAN>8833-8682</SPAN>, released on <SPAN>4/11/2024</SPAN> to detect and prevent attempted attacks. The vulnerability affected GlobalProtect portal and gateway services. This document assumes that the firewall is already configured and used as a GlobalProtect portal and/or gateway service.</P> <H6>&nbsp;</H6> <P>&nbsp;</P> <P><STRONG>Configuration Steps:</STRONG></P> <P>&nbsp;</P> <P><STRONG>Step 1: Ensure that you have the latest content update installed that includes the relevant threat protection</STRONG></P> <UL> <LI>Make sure the content version that you are running includes the threat signature(s) that need to be applied to the GlobalProtect interfaces in order to block the attack.</LI> <LI>In the example used in this document, the minimum content version required is <SPAN>8833-8682</SPAN>, which was released on <SPAN>4/11/2024</SPAN>.</LI> </UL> <P>&nbsp;</P> <P><STRONG>Step 2: Determine the correct zone for GP portal and GP gateway</STRONG></P> <OL> <UL> <LI>If a GP Portal is configured, go to <I>Network &gt; GlobalProtect &gt; Portals</I>&nbsp;and find the portal and associated interface. In the example below, you will see we are using <STRONG>GP-Auto-Portal1 </STRONG>as an example. The interface that the portal connects to is shown to be&nbsp;<STRONG><STRONG>ethernet1/1</STRONG>.</STRONG></LI> </UL> </OL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GlobalProtect Step 2.png" style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20743iB043183AB63472FC/image-size/large?v=v2&amp;px=999" role="button" title="GlobalProtect Step 2.png" alt="GlobalProtect Step 2.png" /></span></P> <P>&nbsp;</P> <UL> <LI>Determine the associated zone for the GlobalProtect portal that includes the interface found in the previous step. <BR />Go to <I>Network &gt; Interfaces &gt; Ethernet.</I>&nbsp;In the example below, we can see that interface ethernet1/1 is in <STRONG>GP-untrust zone</STRONG>.</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GlobalProtect Step 2.1.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20744iACEBB58A366540A4/image-size/large?v=v2&amp;px=999" role="button" title="GlobalProtect Step 2.1.png" alt="GlobalProtect Step 2.1.png" /></span></P> <P>&nbsp;</P> <UL> <LI>If a GlobalProtect gateway is configured, go to <I>Network &gt; GlobalProtect &gt; Gateways</I>&nbsp;and find the gateway and associated interface. In the example below, you will see we are using <STRONG>GP-GW1</STRONG> as an example. The interface is <STRONG>loopback.1</STRONG>.</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GlobalProtect Step 2.2.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20745i6381592E61E007E2/image-size/large?v=v2&amp;px=999" role="button" title="GlobalProtect Step 2.2.png" alt="GlobalProtect Step 2.2.png" /></span></P> <P>&nbsp;</P> <UL> <LI>Determine the zone associated with the GlobalProtect gateway. Go to <I>Network &gt; Interfaces &gt; Loopback</I>. We can see that interface <STRONG>loopback.1</STRONG> is also in <STRONG>GP-untrust zone</STRONG>. Now we know the zone for the portal and gateway, which we need to protect with a vulnerability protection profile.</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GlobalProtect step 2.3.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20746iCD1B89EE89DCC212/image-size/large?v=v2&amp;px=999" role="button" title="GlobalProtect step 2.3.png" alt="GlobalProtect step 2.3.png" /></span><BR /><BR /></P> <P>&nbsp;</P> <P><STRONG>Step 3: Modify or Create a New Vulnerability Protection Profile&nbsp;</STRONG></P> <P>Configure a new or existing vulnerability profile that is specifically configured to block the relevant threat impacting the GlobalProtect services. Go to <I>Objects &gt; Security Profiles &gt; Vulnerability Protection</I>. We recommend as a best practice to simply set the blocking action of “reset-server” for all critical severity signature triggers.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GlobalProtect Step 3.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20747i9E969116846D2A7F/image-size/large?v=v2&amp;px=999" role="button" title="GlobalProtect Step 3.png" alt="GlobalProtect Step 3.png" /></span></P> <P>&nbsp;</P> <UL> <LI>Alternatively, you can add an exception specifically for the relevant signature (#<SPAN>95187</SPAN> in this case) to configure the reset-server action for this signature when it triggers (see below).</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-14 at 8.33.05 AM.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59052iD8C3BB565473E629/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-14 at 8.33.05 AM.png" alt="Screenshot 2024-04-14 at 8.33.05 AM.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Step 4: Modify or create a firewall security rule</STRONG></P> <P>After modifying or creating a new vulnerability protection object, verify what security policies were in place to protect GlobalProtect services, and add newly created Vulnerability Protection Profile. If you already have a customized / Best Practices Profile attached to your security policy, please go back to Step 3 and amend your existing Vulnerability Protection Profile instead of creating a new one.</P> <P>&nbsp;</P> <P><LI-WRAPPER></LI-WRAPPER></P> <P>If you did not have an existing security policy and rule in place, then go ahead and create a security rule to apply the vulnerability protection profile to. Go to<SPAN>&nbsp;</SPAN><I>Policies &gt; Security</I>. Create a new policy. In this example, we name it “block_gp_vulnerability.” The source zone should be “any” and the destination zone is the GlobalProtect gateway and/or GlobalProtect portal zones we found in step 1. Assign to this rule the Vulnerability Protection Profile you modified or created in step 3. Please make sure that the rest of the the applied policy and security policies follow our<SPAN>&nbsp;</SPAN><A href="https://docs.paloaltonetworks.com/best-practices" target="_blank" rel="noopener" data-saferedirecturl="https://www.google.com/url?q=https://docs.paloaltonetworks.com/best-practices&amp;source=gmail&amp;ust=1713217477189000&amp;usg=AOvVaw2Gx6vV8z85OJ5ziFVHUPcs">best practices guides</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GlobalProtect Step 4.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20749i7004237E22D988AC/image-size/large?v=v2&amp;px=999" role="button" title="GlobalProtect Step 4.png" alt="GlobalProtect Step 4.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Step 5: Commit</STRONG></P> <P>Commit the changes to apply the new Vulnerability Protection Profile to the Security Rule protecting the GP Portal and/or Gateway.&nbsp; Any attempted attacks against the GlobalProtect services that attempt to use this specific vulnerability will be blocked and logged in the threat log.</P> <P>&nbsp;</P> <H3 id="toc-hId-1663738456"><STRONG>FAQ:</STRONG></H3> <P>&nbsp;</P> <DIV class="p-rich_text_section"><STRONG data-stringify-type="bold">Is GlobalProtect enabled?</STRONG></DIV> <UL class="p-rich_text_list p-rich_text_list__bullet" data-stringify-type="unordered-list" data-indent="0" data-border="0"> <LI data-stringify-indent="0" data-stringify-border="0">You can verify by checking for entries in your firewall web interface (Network &gt; GlobalProtect)</LI> </UL> <P>&nbsp;</P> <DIV class="p-rich_text_section"><STRONG data-stringify-type="bold">Am I compromised?</STRONG></DIV> <UL class="p-rich_text_list p-rich_text_list__bullet" data-stringify-type="unordered-list" data-indent="0" data-border="0"> <LI data-stringify-indent="0" data-stringify-border="0">You can upload a technical support file (TSF) to Customer Support Portal (CSP) after opening a case to determine if your firewall device(s) match(es) known indicators of compromise (IoC).</LI> </UL> <P>&nbsp;</P> <DIV class="p-rich_text_section"> <DIV class="p-rich_text_section"><STRONG data-stringify-type="bold">What do I need to do?</STRONG></DIV> <UL class="p-rich_text_list p-rich_text_list__bullet" data-stringify-type="unordered-list" data-indent="0" data-border="0"> <LI data-stringify-indent="0" data-stringify-border="0">Review the output of technical support file (TSF) analysis (see above question) to understand the level of attempted exploitation and remediation steps provided in the Unit 42<SPAN>&nbsp;</SPAN><A class="c-link c-link--focus-visible" href="https://unit42.paloaltonetworks.com/cve-2024-3400/" target="_blank" rel="noopener noreferrer" data-stringify-link="https://unit42.paloaltonetworks.com/cve-2024-3400/" data-sk="tooltip_parent">Threat Brief</A><SPAN>&nbsp;</SPAN>for CVE-2024-3400.</LI> <LI data-stringify-indent="0" data-stringify-border="0">As a best practice, we strongly recommend all customers apply the Threat Prevention signature with Threat ID 95187 and 95189 (available in Applications and Threats content version 8835-8689 and later), and apply<SPAN>&nbsp;</SPAN><A class="c-link c-link--focus-visible" href="https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184" target="_blank" rel="noopener noreferrer" data-stringify-link="https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184" data-sk="tooltip_parent">vulnerability protection</A><SPAN>&nbsp;</SPAN>to their GlobalProtect interface.</LI> <LI data-stringify-indent="0" data-stringify-border="0">After completing above steps we strongly recommend installing the hotfix listed in the<SPAN>&nbsp;</SPAN><A class="c-link c-link--focus-visible" href="https://security.paloaltonetworks.com/CVE-2024-3400" target="_blank" rel="noopener noreferrer" data-stringify-link="https://security.paloaltonetworks.com/CVE-2024-3400" data-sk="tooltip_parent">advisory</A><SPAN>&nbsp;</SPAN>for your impacted PAN-OS devices.</LI> </UL> <P>&nbsp;</P> </DIV> <DIV class="p-rich_text_section"><STRONG data-stringify-type="bold">Is Prisma Access or Cloud NGFW impacted by this vulnerability?</STRONG></DIV> <UL class="p-rich_text_list p-rich_text_list__bullet" data-stringify-type="unordered-list" data-indent="0" data-border="0"> <LI data-stringify-indent="0" data-stringify-border="0">Prisma Access and Cloud NGFW are not impacted by this vulnerability.</LI> </UL> <P>&nbsp;</P> <DIV class="p-rich_text_section"><STRONG data-stringify-type="bold">What PAN-OS versions are affected?</STRONG></DIV> <UL class="p-rich_text_list p-rich_text_list__bullet" data-stringify-type="unordered-list" data-indent="0" data-border="0"> <LI data-stringify-indent="0" data-stringify-border="0">This affects PAN-OS versions 10.2 and greater.</LI> <LI data-stringify-indent="0" data-stringify-border="0">Hotfixes are released for PAN-OS 10.2, 11.0 and 11.1 branches. Please refer to the<SPAN>&nbsp;</SPAN><A class="c-link c-link--focus-visible" tabindex="-1" href="https://security.paloaltonetworks.com/CVE-2024-3400" target="_blank" rel="noopener noreferrer" data-stringify-link="https://security.paloaltonetworks.com/CVE-2024-3400" data-sk="tooltip_parent" data-remove-tab-index="true">security advisory</A><SPAN>&nbsp;</SPAN>for more information.</LI> </UL> <P>&nbsp;</P> <DIV class="p-rich_text_section"><STRONG data-stringify-type="bold">Is disabling telemetry an effective mitigation strategy?</STRONG></DIV> <UL class="p-rich_text_list p-rich_text_list__bullet" data-stringify-type="unordered-list" data-indent="0" data-border="0"> <LI data-stringify-indent="0" data-stringify-border="0">In earlier versions of the advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.</LI> </UL> <P>&nbsp;</P> <DIV class="p-rich_text_section"><STRONG data-stringify-type="bold">How can I look for IoCs and research a potential compromise?</STRONG></DIV> <UL class="p-rich_text_list p-rich_text_list__bullet" data-stringify-type="unordered-list" data-indent="0" data-border="0"> <LI data-stringify-indent="0" data-stringify-border="0">Please refer to the Unit42 Threat Brief (<A class="c-link c-link--focus-visible" tabindex="-1" href="https://unit42.paloaltonetworks.com/cve-2024-3400/" target="_blank" rel="noopener noreferrer" data-stringify-link="https://unit42.paloaltonetworks.com/cve-2024-3400/" data-sk="tooltip_parent" data-remove-tab-index="true">https://unit42.paloaltonetworks.com/cve-2024-3400/</A>) and the Volexity blog post (<A class="c-link c-link--focus-visible" tabindex="-1" href="https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/" target="_blank" rel="noopener noreferrer" data-stringify-link="https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/" data-sk="tooltip_parent" data-remove-tab-index="true">https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/</A>) for the latest information.</LI> </UL> <P>&nbsp;</P> <DIV class="p-rich_text_section"><STRONG data-stringify-type="bold">I applied the hotfix; how can I confirm I’m now “clean”?</STRONG></DIV> <UL class="p-rich_text_list p-rich_text_list__bullet" data-stringify-type="unordered-list" data-indent="0" data-border="0"> <LI data-stringify-indent="0" data-stringify-border="0">Before rebooting into the hotfix it is recommended that you take a TSF and upload for analysis on any level of compromise and take the recommended remediation actions if appropriate</LI> <LI data-stringify-indent="0" data-stringify-border="0">After remediating if needed, upgrading and booting into the hotfix, you can verify that you are running the fixed version of code by running the “show system info” CLI command and checking the sw-version field against what is<SPAN>&nbsp;</SPAN><A class="c-link c-link--focus-visible" tabindex="-1" href="https://security.paloaltonetworks.com/CVE-2024-3400" target="_blank" rel="noopener noreferrer" data-stringify-link="https://security.paloaltonetworks.com/CVE-2024-3400" data-sk="tooltip_parent" data-remove-tab-index="true">published as fixed in the CVE</A>.</LI> <LI data-stringify-indent="0" data-stringify-border="0">You can upload the new TSF for analysis and confirmation that no further indicators of compromise are seen from the upgraded device.</LI> </UL> <P>&nbsp;</P> <DIV class="p-rich_text_section"><STRONG data-stringify-type="bold">Additional Resources on CVE-2024-3400:</STRONG></DIV> <UL class="p-rich_text_list p-rich_text_list__bullet" data-stringify-type="unordered-list" data-indent="0" data-border="0"> <LI data-stringify-indent="0" data-stringify-border="0"><A class="c-link c-link--focus-visible" tabindex="-1" href="https://security.paloaltonetworks.com/CVE-2024-3400" target="_blank" rel="noopener noreferrer" data-stringify-link="https://security.paloaltonetworks.com/CVE-2024-3400" data-sk="tooltip_parent" data-remove-tab-index="true">Security Advisory Page</A></LI> <LI data-stringify-indent="0" data-stringify-border="0"><A class="c-link c-link--focus-visible" tabindex="-1" href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CrM5CAK" target="_blank" rel="noopener noreferrer" data-stringify-link="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CrM5CAK" data-sk="tooltip_parent" data-remove-tab-index="true">Knowledge Base Article</A></LI> <LI data-stringify-indent="0" data-stringify-border="0"><A class="c-link c-link--focus-visible" tabindex="-1" href="https://unit42.paloaltonetworks.com/cve-2024-3400/" target="_blank" rel="noopener noreferrer" data-stringify-link="https://unit42.paloaltonetworks.com/cve-2024-3400/" data-sk="tooltip_parent" data-remove-tab-index="true">UNIT42 on CVE-2024-3400</A></LI> <LI data-stringify-indent="0" data-stringify-border="0"><A class="c-link c-link--focus-visible" tabindex="-1" href="https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/" target="_blank" rel="noopener noreferrer" data-stringify-link="https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/" data-sk="tooltip_parent" data-remove-tab-index="true">More on CVE-2024-3400</A></LI> </UL> Wed, 24 Apr 2024 17:11:20 GMT maurisy 2024-04-24T17:11:20Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184 <P>View the configuration steps for applying a vulnerability protection security profile to GlobalProtect.</P> Wed, 24 Apr 2024 17:11:20 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184 maurisy 2024-04-24T17:11:20Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583477#M75 <P>I upgraded to version 8833, but signature ID 95187 is not visible.</P> Fri, 12 Apr 2024 07:51:16 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583477#M75 BYUNGKWON-LEE 2024-04-12T07:51:16Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583478#M76 <P>Yep, it was not there.</P> Fri, 12 Apr 2024 08:06:45 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583478#M76 cciwa-admin 2024-04-12T08:06:45Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583479#M77 <P>Same here</P> Fri, 12 Apr 2024 08:14:23 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583479#M77 ipohlschneider 2024-04-12T08:14:23Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583480#M78 <P>I confirm, ThreatID 95187 not present in content update 8833-8682</P> Fri, 12 Apr 2024 08:16:49 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583480#M78 SomeSuch 2024-04-12T08:16:49Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583481#M79 <P>upgraded to 8833-8682, cannot find 95187</P> Fri, 12 Apr 2024 08:17:31 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583481#M79 B.Yeung 2024-04-12T08:17:31Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583482#M80 <P>95187 is in the release notes, but searching for it in the profile editing section yields no results.</P> Fri, 12 Apr 2024 08:21:06 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583482#M80 michelealbrigo 2024-04-12T08:21:06Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583485#M81 <P>Same issue as the above users 95187 is missing.</P> Fri, 12 Apr 2024 08:24:39 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583485#M81 RyanMinty 2024-04-12T08:24:39Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583489#M82 app only shows the signature. However, the signature for app+threat is not visible. Fri, 12 Apr 2024 08:30:08 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583489#M82 BYUNGKWON-LEE 2024-04-12T08:30:08Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583496#M83 <P><SPAN>Same issue there is no 95187 in PAN-OS content update 8833-8682</SPAN></P> Fri, 12 Apr 2024 09:09:47 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583496#M83 hien.vo 2024-04-12T09:09:47Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583499#M84 <P>it is visible in CLI, but not gui</P><P>show threat id 95187</P><P><BR />This signature detects malicious payload in HTTPS request.</P><P>critical<BR />Unknown<BR /><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention</A></P> Fri, 12 Apr 2024 09:19:00 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583499#M84 chagberg 2024-04-12T09:19:00Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583500#M85 <P><SPAN>Apparently none of the new vulnerability signatures added to content release&nbsp;8833 are visible, not only&nbsp;signature ID 95187.</SPAN></P><P><SPAN>Is everybody experiencing this same issue?</SPAN></P> Fri, 12 Apr 2024 09:19:52 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583500#M85 Gustor 2024-04-12T09:19:52Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583502#M86 <P>I found the following article about missing threat ID's:</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U27CAE" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U27CAE</A></P> Fri, 12 Apr 2024 09:32:44 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583502#M86 Gustor 2024-04-12T09:32:44Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583511#M87 <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U27CAE" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U27CAE</A></P><P>I follow this article to use cli to add, although after added gui still not seen 95187, but total exceptions increase one.</P> Fri, 12 Apr 2024 09:38:25 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583511#M87 B.Yeung 2024-04-12T09:38:25Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583512#M88 <P>anyone know why threat id 95187 is showing threat name 'Malicious HTTPS Request Detection' and not related to the actual command injection vulnerability ?&nbsp;</P> Fri, 12 Apr 2024 09:43:19 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583512#M88 Gurminder_Birdee 2024-04-12T09:43:19Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583513#M89 <P>I reverted the app and deleted 8833, then downloaded the app again and reinstalled it to solve the problem.</P> Fri, 12 Apr 2024 09:48:56 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583513#M89 BYUNGKWON-LEE 2024-04-12T09:48:56Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583514#M90 <P>Yeah, I think we all have same problem here, after updating the threat &amp; apps, we couldn't find the Threat ID&nbsp;<SPAN>95187, it's strange, pls let me know if there's an update</SPAN></P> Fri, 12 Apr 2024 09:50:01 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583514#M90 bachtiar.adiguna 2024-04-12T09:50:01Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583516#M91 <P>same issue with&nbsp;<SPAN>95187 not showing</SPAN></P> Fri, 12 Apr 2024 10:21:12 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583516#M91 GarethBulleyGarethBulley 2024-04-12T10:21:12Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583519#M92 <P>did the same as&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/137526">@BYUNGKWON-LEE</a>,&nbsp;and it now shows up in GUI.</P> Fri, 12 Apr 2024 10:32:17 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583519#M92 chagberg 2024-04-12T10:32:17Z https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583521#M93 <P>same here,&nbsp;<SPAN>95187 not showing</SPAN></P> Fri, 12 Apr 2024 10:54:15 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/tac-p/583521#M93 SOMJOB 2024-04-12T10:54:15Z