04-19-2017 09:20 AM
Hello
I detected a bug PAN-SA-2017-0010 - INFORMATION DISCLOSURE IN THE MANAGEMENT WEB INTERFACE in the environment palo alto that I support . would you give me some recommendation/workaround ?
04-19-2017 09:24 AM
Update to 7.1.9 or higher.
Limit the management interface to only those IPs that actually need it.
The attacker needs to be authenticated in the management interface, so don't give people access that you don't trust.
Restrict access to a set time schedule.
04-19-2017 09:26 AM
Could you provide me the appropiate steps to carry out the recommendations?
04-19-2017 02:16 PM
Access to the management IP can be restricted by clicking on the gear icon on the management interface settings on the Devices Mangement settings like pictured below.
You could setup an access schedule as long as your management network traffic traverses your firewall and requires that your security policy allowing access to that IP address gets assigned a Schedule to limit the times that the management network is allowed. If you put access on a schedule I would recommend leaving your Network Operations computers off of this scheduled access policy so that they can work on the device whenever needed.
If you have management enabled on your actual interfaces and not your management interface then you can still restrict that access to set IP addresses; you just need to modify your Interface Mgmt profile to include listed 'Permitted IP Addresses' so that it doesn't allow everything like it does by default.
Hope that helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
