How to fix this vulnerability in palo alto?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to fix this vulnerability in palo alto?

L3 Networker



Please help to resolve the following vulnerability

Vulnerabilities :
1. HTTP DELETE Method Enabled (http-delete-method-enabled)
2. HTTP OPTIONS Method Enabled (http-options-method-enabled)
3. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)

Thanks in advance



We are also getting the same vulnerabilities from Security Scans on the Managment Port.


We are running PAN OS 8.1.9


Any assistance would be greatly appreciated.





Hi Stuart,

For HTTP OPTIONS and DELETE method allow (note there is no associated CVE and both are standard HTTP methods).

After review, both HTTP methods do not have actual impact on firewall management Web GUI therefore the said vulnerability was not applicable in this scenario.

Palo Alto firewall allows HTTP OPTIONS and DELETE methods because a new RESTful API capability is using it, not the web server itself. Therefore these two listed vulnerabilities are not applicable in Palo Alto Network firewall.


For the last vulnerability, "3. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)" related to static key ciphers, this can be mitigated by using a ECDSA based certificate which will limit to the following forward secrecy ciphers in 8.1



Steps for securing the administrative access:

1) Generate/import an ECDSA server certificate on the firewall. This can be generated by using a self-signed CA ECDSA or your internal PKI ECDSA certificate. Please note the certificate that is reference by the SSL/TLS service profile cannot be a CA certificate.
2) Create an SSL/TLS service profile with Min and Max versions set to TLSv1.2
3) Reference the ECDSA certificate in the service profile
4) Apply the profile(s) to the various L3 SSL/TLS services

Hoped this clarifies.


Sethupathi M


We want to find out with your help if there are recommended official docs about those vulnerabilities identified in a generic Vuln Scan on Management Web Interface:

1. HTTP DELETE Method Enabled (http-delete-method-enabled)
2. HTTP OPTIONS Method Enabled (http-options-method-enabled)
3. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)

Do you know if there are an official PaloAlto documental support? 
Thanks for your help


Yes, there is an officiel docs from PAN for http methods, please check the KB HTTP Options/Delete Method Enabled Vulnerability.




Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!