How do I apply the anti-POODLE (SSLv3) threat detection to GlobalProtect?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How do I apply the anti-POODLE (SSLv3) threat detection to GlobalProtect?

L2 Linker

I wanted to test detection of vulnerability 36815 on inbound traffic to the GlobalProtect portal. I'd received an email from PAN on 10/20 which suggested signature 36815 could be used to block attempted SSL 3.0 sessions including "GlobalProtect SSL VPN". I'll settle for detecting it, which should happen with the default or strict vulnerability protection policy.

So I tried creating a security policy that explicitly allows SSL to the ip address of the GP portal, with a profile that applies strict vulnerability protection.

Now if I run the tool at https://www.ssllabs.com/ssltest I can see the traffic in the monitor and I can verify that the rule matches the policy I created. But the test for SSLv3 by Qualys doesn't show up in the threat monitor.

6 REPLIES 6

L6 Presenter

Hi Elliot,

SSLv3 vulnerability is covered in latest content. It should detect if rule has anti-vuln profile configured.

Refer following thread for more detail.

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

Regards,

Hardik Shah

Yes, if I enable, say, the strict vulnerability protection policy on outbound connections, the SSLv3 alert will fire when I access https://www.poodletest.com/ from my workstation inside the LAN.

If I point the tool mentioned above at my GlobalProtect portal, I agree that it should detect SSLv3. But it doesn't, even though the traffic is logged due to the security policy for ssl traffic to the GlobalProtect portal.

Hi Elliot,

I think firewall is not on latest content, please provide me output for

1. Show system info

Regards,

Hardik Shah

> show system info

hostname: PA-5060

ip-address: 10.0.12.1

netmask: 255.255.252.0

default-gateway:

ipv6-address: unknown

ipv6-link-local-address: fe80::290:bff:fe1e:75ae/64

ipv6-default-gateway:

mac-address: 00:90:0b:1e:75:ae

time: Mon Oct 27 16:25:33 2014

uptime: 32 days, 0:14:15

family: 5000

model: PA-5060

serial: 0008C100420

sw-version: 6.0.5

global-protect-client-package-version: 2.0.4

app-version: 465-2419

app-release-date: 2014/10/23  09:15:45

av-version: 1401-1873

av-release-date: 2014/10/24  04:00:01

threat-version: 465-2419

threat-release-date: 2014/10/23  09:15:45

wildfire-version: 43176-49703

wildfire-release-date: 2014/10/26  06:29:02

url-filtering-version: 2014.10.24.806

global-protect-datafile-version: 1414396318

global-protect-datafile-release-date: 2014/10/27 07:51:58

logdb-version: 6.0.6

platform-family: 5000

logger_mode: False

vpn-disable-mode: off

operational-mode: normal

multi-vsys: off

L4 Transporter

The Vulnerability signature which is provided will not be applied to traffic destined to  firewall

For example: people from DMZ are tried to manage firewall on firewall's DMZ interface, the signature will not be enough to identify ssl3, because content inspection is not applied when traffic is destined to firewall and not passing through the firewall. The same will apply to GP. we would not be able to identify this when SSL connection terminates on untrust interface of firewall

The work around while we wait for engineering is to host the GP on loopback. Because when the service is hosted on loopback (different zone). This will make packet pass though the CTD engine of firewall to detect vulnerability.

Regards

Sai


~ Sai Srivastava Tumuluri ~

I have tested this before in the lab that vulnerability profile applied to traffic destined to firewall does work for management but not GP (even if is on a loopback in a different zone).

  • 4295 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!