- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-05-2018 07:29 PM - edited 02-05-2018 07:38 PM
Hello Geeks,
During our compliance scanning (PCI-DSS External Scanning) process on our paloalto 3020 firewalls, the scanner found new vulnerability, "CWE-693 : Protection Mechanism Failure" and suggested to fix it ASAP to comply. Hence, I started googling to solve this issues and found no useful solutions for this yet. Is there any way to solve this issue and I am sure that every organization trying to comply with PCIDSS external scanning process are facing this issue now. Really appreciate for your kind suggestions and help.
Best Regards,
Wai Yan Phyo
02-08-2018 02:51 AM
The GP portal and gateway are already hardened but putting a security profile on top would block incoming scans or exploits for potentially vulnerable services before they hit the service itself.
Legitimate connections where something is reported as missing would still come back, but an actual exploit will be blocked by the profile
you could reach out to your local sales team to have a more thorough investigation of your configuration, they can run best practices and recommendations tools on your config and make more in-depth analysis of your situation and possibly provide better tailored mitigation advise
02-06-2018 02:46 AM
Does the scan provide a subdivision of detected failures?
the CWE seems to be an extremely broad statement that can't be addressed in itself (besides pulling the plug)
Did you scan the management interface or a dataplane management profile, have you got weak services enabled (telnet, http, ..) maybe ?
02-06-2018 07:03 PM
Hi Reaper,
Thanks for your kind response.
The scanner provided the following HTTP headers are absent in our firewall.
X-XSS-Protection
X-Frame-Options
X-Content-Type-Options:
Public-Key-Pins
Strict-Transport-Security
As this is external compliance scanning, the public-facing (external) interface was scanned and we didn't enable any insecure services like telnet and http.
02-07-2018 01:48 AM
Is there a management profile enabled on your external interface?
There are a couple of tips to improve security on your external interface:
Don't run a management profile on it, use GlobalProtect instead to get to the internal network and connect from there. If this is not an option, enable an ACL on the management profile restricting access to only a select few management IPS
If this was not a mgmt profile but GP portal/gateway, you can move the portal and gateway to a loopback interface so you can create a security profile to protect the portal/gw
If this was a scan that hit a NAT rule (so a scan rerouted to an internal server), you'll need to review your internal server, but you can add a decryption policy with a decryption profile that enforces minimum protocol version and algorithms
02-07-2018 09:00 PM
- There is no management profile enabled on this external interface.
- Yes, this is just used for GlobalProtect portal / gateway. We may consider to use it with a loopback and set security profiles on it as per your suggestions.
- Apart from these secure protection on firewall, is there any other HTTP header protection which can be enabled on the firewall? I am asking that because the scanner would show the same unprotected vulnerability in the report after scanning due to the lack of its' suggested protection methods enabled on the firewall.
- Only manual verification / testing would approve that the device is protecting itself from these mentioned risks. Also we are not sure if ASV would accept these secure and hardening ways as compensation control to mitigate this vulnerability.
However, we really appreciate for your kind, patient and continuous suggestions and supports.
02-08-2018 02:51 AM
The GP portal and gateway are already hardened but putting a security profile on top would block incoming scans or exploits for potentially vulnerable services before they hit the service itself.
Legitimate connections where something is reported as missing would still come back, but an actual exploit will be blocked by the profile
you could reach out to your local sales team to have a more thorough investigation of your configuration, they can run best practices and recommendations tools on your config and make more in-depth analysis of your situation and possibly provide better tailored mitigation advise
04-23-2018 02:19 PM
Having same issue, however i am getting this not on the GP interface but another. How did you solve this?
04-23-2018 11:52 PM
Hi Sruddy,
PA recommend to upgrdate to PAN OS 8.0.8 to mitigate this vulnerability. This upgrade will enable the following http headers in PA firewall.
X-XSS-Protection
X-Content-Type-Options
Content-Security-Policy
Thank you.
Best Regards,
Wai Yan
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!