https://live.paloaltonetworks.com/t5/panorama-discussions/vulnerability-assessment-against-panorama-found-two/m-p/565951#M2008 <P>Hi Support,</P> <P>&nbsp;</P> <P>Recently we have Vulnerability Assessment and found two vulnerability on Panorama</P> <P>&nbsp;</P> <P>1.&nbsp;“The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS)&nbsp;on Port 28443<BR /><BR />2.“SSL Certificate Cannot Be Trusted” for port 28270.<BR /><BR />How can we remediate on both vulnerability above?</P> <P>&nbsp;</P> <P>Any advise and solution much appreciated&nbsp;<BR /><BR />Thank you&nbsp;</P> <P>Regards</P> <P>Fariq</P> Thu, 16 Nov 2023 09:06:10 GMT Fariq_Zaidi 2023-11-16T09:06:10Z https://live.paloaltonetworks.com/t5/panorama-discussions/vulnerability-assessment-against-panorama-found-two/m-p/565951#M2008 <P>Hi Support,</P> <P>&nbsp;</P> <P>Recently we have Vulnerability Assessment and found two vulnerability on Panorama</P> <P>&nbsp;</P> <P>1.&nbsp;“The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS)&nbsp;on Port 28443<BR /><BR />2.“SSL Certificate Cannot Be Trusted” for port 28270.<BR /><BR />How can we remediate on both vulnerability above?</P> <P>&nbsp;</P> <P>Any advise and solution much appreciated&nbsp;<BR /><BR />Thank you&nbsp;</P> <P>Regards</P> <P>Fariq</P> Thu, 16 Nov 2023 09:06:10 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/vulnerability-assessment-against-panorama-found-two/m-p/565951#M2008 Fariq_Zaidi 2023-11-16T09:06:10Z https://live.paloaltonetworks.com/t5/panorama-discussions/vulnerability-assessment-against-panorama-found-two/m-p/566423#M2009 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/225107">@Fariq_Zaidi</a>&nbsp;</P> <P>&nbsp;</P> <P>Port 28443 is specifically utilized for downloading content files from Panorama by firewalls. On the other hand, port 28270 is employed for communication between Panorama and managed firewalls or managed collectors.</P> <P>It's important to note that these ports facilitate communication between Palo Alto devices and proper certificate validations are enforced in this communication. The certificates involved can be self-signed. Consequently, the alerts you are observing could be triggered by external tools attempting connection or checks, which may not fully validate the certificates in use.</P> <P>&nbsp;</P> Tue, 21 Nov 2023 03:57:43 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/vulnerability-assessment-against-panorama-found-two/m-p/566423#M2009 akuzhuppilly 2023-11-21T03:57:43Z https://live.paloaltonetworks.com/t5/panorama-discussions/vulnerability-assessment-against-panorama-found-two/m-p/594050#M2421 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/225107">@Fariq_Zaidi</a></P> <P>&nbsp;</P> <P>the issue you described has own KB:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000saRLCAY" target="_self">A vulnerability "HSTS Missing From HTTPS Server" is reported on Panorama on port TCP/28443</A>.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp;</P> Mon, 05 Aug 2024 22:50:18 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/vulnerability-assessment-against-panorama-found-two/m-p/594050#M2421 PavelK 2024-08-05T22:50:18Z