10-27-2014 02:37 PM
I wanted to test detection of vulnerability 36815 on inbound traffic to the GlobalProtect portal. I'd received an email from PAN on 10/20 which suggested signature 36815 could be used to block attempted SSL 3.0 sessions including "GlobalProtect SSL VPN". I'll settle for detecting it, which should happen with the default or strict vulnerability protection policy.
So I tried creating a security policy that explicitly allows SSL to the ip address of the GP portal, with a profile that applies strict vulnerability protection.
Now if I run the tool at https://www.ssllabs.com/ssltest I can see the traffic in the monitor and I can verify that the rule matches the policy I created. But the test for SSLv3 by Qualys doesn't show up in the threat monitor.
10-27-2014 03:15 PM
Hi Elliot,
SSLv3 vulnerability is covered in latest content. It should detect if rule has anti-vuln profile configured.
Refer following thread for more detail.
Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface
Regards,
Hardik Shah
10-27-2014 03:40 PM
Yes, if I enable, say, the strict vulnerability protection policy on outbound connections, the SSLv3 alert will fire when I access https://www.poodletest.com/ from my workstation inside the LAN.
If I point the tool mentioned above at my GlobalProtect portal, I agree that it should detect SSLv3. But it doesn't, even though the traffic is logged due to the security policy for ssl traffic to the GlobalProtect portal.
10-27-2014 04:02 PM
Hi Elliot,
I think firewall is not on latest content, please provide me output for
1. Show system info
Regards,
Hardik Shah
10-27-2014 04:26 PM
> show system info
hostname: PA-5060
ip-address: 10.0.12.1
netmask: 255.255.252.0
default-gateway:
ipv6-address: unknown
ipv6-link-local-address: fe80::290:bff:fe1e:75ae/64
ipv6-default-gateway:
mac-address: 00:90:0b:1e:75:ae
time: Mon Oct 27 16:25:33 2014
uptime: 32 days, 0:14:15
family: 5000
model: PA-5060
serial: 0008C100420
sw-version: 6.0.5
global-protect-client-package-version: 2.0.4
app-version: 465-2419
app-release-date: 2014/10/23 09:15:45
av-version: 1401-1873
av-release-date: 2014/10/24 04:00:01
threat-version: 465-2419
threat-release-date: 2014/10/23 09:15:45
wildfire-version: 43176-49703
wildfire-release-date: 2014/10/26 06:29:02
url-filtering-version: 2014.10.24.806
global-protect-datafile-version: 1414396318
global-protect-datafile-release-date: 2014/10/27 07:51:58
logdb-version: 6.0.6
platform-family: 5000
logger_mode: False
vpn-disable-mode: off
operational-mode: normal
multi-vsys: off
10-30-2014 05:02 PM
The Vulnerability signature which is provided will not be applied to traffic destined to firewall
For example: people from DMZ are tried to manage firewall on firewall's DMZ interface, the signature will not be enough to identify ssl3, because content inspection is not applied when traffic is destined to firewall and not passing through the firewall. The same will apply to GP. we would not be able to identify this when SSL connection terminates on untrust interface of firewall
The work around while we wait for engineering is to host the GP on loopback. Because when the service is hosted on loopback (different zone). This will make packet pass though the CTD engine of firewall to detect vulnerability.
Regards
Sai
10-30-2014 07:12 PM
I have tested this before in the lab that vulnerability profile applied to traffic destined to firewall does work for management but not GP (even if is on a loopback in a different zone).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
