https://live.paloaltonetworks.com/t5/general-topics/robot-attack-some-advice-needed/m-p/193664#M58030 As best practice I'd recommend moving the GP interface (and any other 'service' including mgmt etc) to a retracted interface like a loopback so any packets need to pass through the dataplane before even touching the service Wed, 03 Jan 2018 19:09:46 GMT reaper 2018-01-03T19:09:46Z https://live.paloaltonetworks.com/t5/general-topics/robot-attack-some-advice-needed/m-p/193575#M58014 <P>Hello</P><P>&nbsp;</P><P>According to <A href="https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/PAN-OS-exposure-to-ROBOT-attack/ta-p/192397" target="_self">https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/PAN-OS-exposure-to-ROBOT-attack/ta-p/192397</A></P><P><SPAN>For complete protection, signature&nbsp;#38407 must be applied <EM>upstream</EM> from any interfaces implementing SSL Decryption, or hosting a GlobalProtect portal or a GlobalProtect gateway.</SPAN></P><P>&nbsp;</P><P><SPAN>I have 760 content update applied. I tryed to scan ma GP interface using <A href="https://robotattack.org/" target="_self">https://robotattack.org/</A> scanner and of course I'm voulnereable because I'm using PANOS 8.0.6h3 but in threat logs I see nothing related to ROBOT or 38407&nbsp; attack.</SPAN></P><P>&nbsp;</P><P><SPAN>What security policy I should have to protect before this attact? I'm not using SSL decryption.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>Regards</SPAN></P><P><SPAN>SLawek</SPAN></P> Wed, 03 Jan 2018 09:13:45 GMT https://live.paloaltonetworks.com/t5/general-topics/robot-attack-some-advice-needed/m-p/193575#M58014 _slv_ 2018-01-03T09:13:45Z https://live.paloaltonetworks.com/t5/general-topics/robot-attack-some-advice-needed/m-p/193656#M58024 <P>What security policy permits traffic from Untrust to your GP Portal/Gateway?&nbsp; Do you have an explicit policy defined, or are you relying on the default/implicit intra-zone permit policy (which defaults to no logging)?</P><P>&nbsp;</P><P>You can either create an explicit policy before the intra-zone policy that permits untrust to untrust/gp portal+gateway, with vulnerability signatures &amp; logging enabled... or you can modify(override) the default intra-zone policy and make your changes on the action tab.&nbsp;&nbsp;</P> Wed, 03 Jan 2018 17:55:12 GMT https://live.paloaltonetworks.com/t5/general-topics/robot-attack-some-advice-needed/m-p/193656#M58024 jvalentine 2018-01-03T17:55:12Z https://live.paloaltonetworks.com/t5/general-topics/robot-attack-some-advice-needed/m-p/193662#M58028 I'll have to disagree with <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/22017">@jvalentine</a> on this one:<BR /><BR />The service, if running on the external interface, will already be vulnerable before the intrazone policy is able to protect it<BR />Ideally you should either block the vulnerability upstream (this can be accomplished by gearing a vwire in front of the untrust interface,), or you can host the GP service on a loopback interface (this loopback can also be in the untrust zone, but because the packets need to "jump" interfaces, they can efficiently be blocked by a security profile) Wed, 03 Jan 2018 18:20:52 GMT https://live.paloaltonetworks.com/t5/general-topics/robot-attack-some-advice-needed/m-p/193662#M58028 reaper 2018-01-03T18:20:52Z https://live.paloaltonetworks.com/t5/general-topics/robot-attack-some-advice-needed/m-p/193663#M58029 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>Yes You are right. I'm using&nbsp; external interface in GP configuration.</P><P>I checked KB and I found <A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Global-Protect-Gateway-on-Loopback-Interface/ta-p/56866" target="_self">link</A></P><P>&nbsp;</P><P>Do You have better doc for it?</P><P>as we know ... in the future for sure will be another volnureability so the best option will be properly configure GP to use ThreatPrevention to protect it.</P><P>&nbsp;</P><P>Regards</P><P>Slawek</P> Wed, 03 Jan 2018 18:48:06 GMT https://live.paloaltonetworks.com/t5/general-topics/robot-attack-some-advice-needed/m-p/193663#M58029 _slv_ 2018-01-03T18:48:06Z https://live.paloaltonetworks.com/t5/general-topics/robot-attack-some-advice-needed/m-p/193664#M58030 As best practice I'd recommend moving the GP interface (and any other 'service' including mgmt etc) to a retracted interface like a loopback so any packets need to pass through the dataplane before even touching the service Wed, 03 Jan 2018 19:09:46 GMT https://live.paloaltonetworks.com/t5/general-topics/robot-attack-some-advice-needed/m-p/193664#M58030 reaper 2018-01-03T19:09:46Z https://live.paloaltonetworks.com/t5/general-topics/robot-attack-some-advice-needed/m-p/193743#M58055 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a></P><P>&nbsp;</P><P>thanks for the clarification... "upstream" getting the most emphasis.&nbsp; Also good to know the added benefit of running on loopbacks vs interfaces.&nbsp; Have to tuck that away for future reference.&nbsp; Thanks!</P> Wed, 03 Jan 2018 22:26:21 GMT https://live.paloaltonetworks.com/t5/general-topics/robot-attack-some-advice-needed/m-p/193743#M58055 jvalentine 2018-01-03T22:26:21Z