https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/311198#M80549 <P>Hello</P><P>We want to find out with your help if there are recommended official docs about those vulnerabilities identified in a generic Vuln Scan on Management Web Interface:</P><P>1. HTTP DELETE Method Enabled (http-delete-method-enabled)<BR />2. HTTP OPTIONS Method Enabled (http-options-method-enabled)<BR />3. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)</P><P>Do you know if there are an official PaloAlto documental support?&nbsp;<BR />Thanks for your help</P> Fri, 14 Feb 2020 06:54:39 GMT egarantiva 2020-02-14T06:54:39Z https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/279954#M75796 <P>Hi,</P><P>&nbsp;</P><P>Please help to resolve the following vulnerability</P><P><BR />Vulnerabilities :<BR />1. HTTP DELETE Method Enabled (http-delete-method-enabled)<BR />2. HTTP OPTIONS Method Enabled (http-options-method-enabled)<BR />3. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)<BR /><BR /></P><P>Thanks in advance</P> Tue, 30 Jul 2019 09:05:10 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/279954#M75796 karthikeyanB 2019-07-30T09:05:10Z https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/280006#M75810 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/105432">@karthikeyanB</a>,</P><P>Any additional information here would be great, such as what interface you were scanning (MGMT, GlobalProtect Portal)?&nbsp;</P> Tue, 30 Jul 2019 16:30:27 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/280006#M75810 BPry 2019-07-30T16:30:27Z https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/280243#M75827 <P>Management</P> Wed, 31 Jul 2019 08:48:40 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/280243#M75827 karthikeyanB 2019-07-31T08:48:40Z https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/281227#M75935 <P>Hi Team,</P><P>&nbsp;</P><P>Could you help us here to fix the vulnerability.</P><P>&nbsp;</P><P>Note:Getting this vulnerability when scaning Management port.</P><P>&nbsp;</P><P>PAN-OS version 8.1.9</P><P>&nbsp;</P><P>Regards,</P><P>Sethupathi M</P> Tue, 06 Aug 2019 05:03:34 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/281227#M75935 Sethupathi 2019-08-06T05:03:34Z https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/281240#M75937 <P>Hi Team,</P><P>&nbsp;</P><P>Could you help us here to fix the vulnerability.</P><P>&nbsp;</P><P>Note:Getting this vulnerability when scaning Management port.</P><P>&nbsp;</P><P>PAN-OS version 8.1.9</P><P>&nbsp;</P><P>Regards,</P><P>Sethupathi M</P> Tue, 06 Aug 2019 08:04:53 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/281240#M75937 Sethupathi 2019-08-06T08:04:53Z https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/293274#M77550 <P>Hi</P><P>We are also getting the same vulnerabilities from Security Scans on the Managment Port.</P><P>&nbsp;</P><P>We are running PAN OS 8.1.9</P><P>&nbsp;</P><P>Any assistance would be greatly appreciated.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Stuart</P> Fri, 18 Oct 2019 12:42:26 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/293274#M77550 Stuart_Walton 2019-10-18T12:42:26Z https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/293324#M77561 <P>Hi Stuart,</P><P><BR />For HTTP OPTIONS and DELETE method allow (note there is no associated CVE and both are standard HTTP methods).</P><P>After review, both HTTP methods do not have actual impact on firewall management Web GUI therefore the said vulnerability was not applicable in this scenario.</P><P>Palo Alto firewall allows HTTP OPTIONS and DELETE methods because a new RESTful API capability is using it, not the web server itself. Therefore these two listed vulnerabilities are not applicable in Palo Alto Network firewall.</P><P>- HTTP DELETE Method<BR />- HTTP OPTIONS Method</P><P><BR />For the last vulnerability, "3. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)" related to static key ciphers, this can be mitigated by using a ECDSA based certificate which will limit to the following forward secrecy ciphers in 8.1</P><P>ECDHE-ECDSA-AES-128-SHA<BR />ECDHE-ECDSA-AES-256-SHA<BR />ECDHE-ECDSA-AES-128-GCM-SHA-256<BR />ECDHE-ECDSA-AES-256-GCM-SHA-384</P><P>Reference:<BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5mCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5mCAC</A></P><P>Steps for securing the administrative access:</P><P>1) Generate/import an ECDSA server certificate on the firewall. This can be generated by using a self-signed CA ECDSA or your internal PKI ECDSA certificate. Please note the certificate that is reference by the SSL/TLS service profile cannot be a CA certificate.<BR />2) Create an SSL/TLS service profile with Min and Max versions set to TLSv1.2<BR />3) Reference the ECDSA certificate in the service profile<BR />4) Apply the profile(s) to the various L3 SSL/TLS services</P><P><BR />Hoped this clarifies.</P><P>&nbsp;</P><P>-<BR />Regards,<BR />Sethupathi M</P> Sat, 19 Oct 2019 07:04:15 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/293324#M77561 Sethupathi 2019-10-19T07:04:15Z https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/311198#M80549 <P>Hello</P><P>We want to find out with your help if there are recommended official docs about those vulnerabilities identified in a generic Vuln Scan on Management Web Interface:</P><P>1. HTTP DELETE Method Enabled (http-delete-method-enabled)<BR />2. HTTP OPTIONS Method Enabled (http-options-method-enabled)<BR />3. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)</P><P>Do you know if there are an official PaloAlto documental support?&nbsp;<BR />Thanks for your help</P> Fri, 14 Feb 2020 06:54:39 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/311198#M80549 egarantiva 2020-02-14T06:54:39Z https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/372296#M88911 <P>Hello,&nbsp;</P><P>Yes, there is an officiel docs from PAN for http methods, please check the KB HTTP Options/Delete Method Enabled Vulnerability.&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HB0hCAG" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HB0hCAG</A></P><P>&nbsp;</P><P>Regards,&nbsp;</P><P>Abdessamed</P> Wed, 09 Dec 2020 16:46:25 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/372296#M88911 Abdessamed.Khatir 2020-12-09T16:46:25Z