Applying Vulnerability Protection to GlobalProtect Interfaces

maurisy · ‎07-22-2020

Summary

This document discusses the configuration steps for applying a vulnerability protection security profile to GlobalProtect interface, in order to protect the GlobalProtect services from attacks using published product security vulnerabilities.

Background

In customer deployments that use GlobalProtect for remote access, customers often configure and apply security profiles such as vulnerability protection to network traffic between VPN clients and internal network zones.

There are also certain circumstances where a customer may want to apply a vulnerability protection profile to traffic hitting the GlobalProtect portal and gateway services, which are served by the firewall and not just traffic going through the firewall into the network. For example, there may be situations where a customer wants to block attempted attacks before they are able to upgrade PAN-OS to a patched version. This can be accomplished by applying a properly configured vulnerability protection profile to a firewall rule that is configured to apply to traffic hitting the GlobalProtect portal and gateway services hosted by the firewall.

Note 1: 4/14/2024: A hotfix for each of the PAN-OS versions (10.2, 11.0, 11.1) affected by CVE-2024-3400 is now available in the Customer Support Portal (CSP) and inside PAN-OS (both NGFWs and Panorama). An ETA for other commonly deployed versions of PAN-OS is available on the product security advisory for CVE-2024-3400. It is recommended to apply this hotfix and also complete the mitigations recommended in the advisory.

Note 2: This document uses CVE-2024-3400 as an example in this how-to guide, where vulnerability protection signature #95187 was released in content version 8833-8682, released on 4/11/2024 to detect and prevent attempted attacks. The vulnerability affected GlobalProtect portal and gateway services. This document assumes that the firewall is already configured and used as a GlobalProtect portal and/or gateway service.

Configuration Steps:

Step 1: Ensure that you have the latest content update installed that includes the relevant threat protection

Make sure the content version that you are running includes the threat signature(s) that need to be applied to the GlobalProtect interfaces in order to block the attack.
In the example used in this document, the minimum content version required is 8833-8682, which was released on 4/11/2024.

Step 2: Determine the correct zone for GP portal and GP gateway

If a GP Portal is configured, go to Network > GlobalProtect > Portals and find the portal and associated interface. In the example below, you will see we are using GP-Auto-Portal1 as an example. The interface that the portal connects to is shown to be ethernet1/1.

GlobalProtect Step 2.png

Determine the associated zone for the GlobalProtect portal that includes the interface found in the previous step.
Go to Network > Interfaces > Ethernet. In the example below, we can see that interface ethernet1/1 is in GP-untrust zone.

GlobalProtect Step 2.1.png

If a GlobalProtect gateway is configured, go to Network > GlobalProtect > Gateways and find the gateway and associated interface. In the example below, you will see we are using GP-GW1 as an example. The interface is loopback.1.

GlobalProtect Step 2.2.png

Determine the zone associated with the GlobalProtect gateway. Go to Network > Interfaces > Loopback. We can see that interface loopback.1 is also in GP-untrust zone. Now we know the zone for the portal and gateway, which we need to protect with a vulnerability protection profile.

GlobalProtect step 2.3.png

Step 3: Modify or Create a New Vulnerability Protection Profile

Configure a new or existing vulnerability profile that is specifically configured to block the relevant threat impacting the GlobalProtect services. Go to Objects > Security Profiles > Vulnerability Protection. We recommend as a best practice to simply set the blocking action of “reset-server” for all critical severity signature triggers.

GlobalProtect Step 3.png

Alternatively, you can add an exception specifically for the relevant signature (#95187 in this case) to configure the reset-server action for this signature when it triggers (see below).

Screenshot 2024-04-14 at 8.33.05 AM.png

Step 4: Modify or create a firewall security rule

After modifying or creating a new vulnerability protection object, verify what security policies were in place to protect GlobalProtect services, and add newly created Vulnerability Protection Profile. If you already have a customized / Best Practices Profile attached to your security policy, please go back to Step 3 and amend your existing Vulnerability Protection Profile instead of creating a new one.

If you did not have an existing security policy and rule in place, then go ahead and create a security rule to apply the vulnerability protection profile to. Go to Policies > Security. Create a new policy. In this example, we name it “block_gp_vulnerability.” The source zone should be “any” and the destination zone is the GlobalProtect gateway and/or GlobalProtect portal zones we found in step 1. Assign to this rule the Vulnerability Protection Profile you modified or created in step 3. Please make sure that the rest of the the applied policy and security policies follow our best practices guides.

GlobalProtect Step 4.png

Step 5: Commit

Commit the changes to apply the new Vulnerability Protection Profile to the Security Rule protecting the GP Portal and/or Gateway. Any attempted attacks against the GlobalProtect services that attempt to use this specific vulnerability will be blocked and logged in the threat log.

FAQ:

Is GlobalProtect enabled?

You can verify by checking for entries in your firewall web interface (Network > GlobalProtect)

Am I compromised?

You can upload a technical support file (TSF) to Customer Support Portal (CSP) after opening a case to determine if your firewall device(s) match(es) known indicators of compromise (IoC).

What do I need to do?

Review the output of technical support file (TSF) analysis (see above question) to understand the level of attempted exploitation and remediation steps provided in the Unit 42 Threat Brief for CVE-2024-3400.
As a best practice, we strongly recommend all customers apply the Threat Prevention signature with Threat ID 95187 and 95189 (available in Applications and Threats content version 8835-8689 and later), and apply vulnerability protection to their GlobalProtect interface.
After completing above steps we strongly recommend installing the hotfix listed in the advisory for your impacted PAN-OS devices.

Is Prisma Access or Cloud NGFW impacted by this vulnerability?

Prisma Access and Cloud NGFW are not impacted by this vulnerability.

What PAN-OS versions are affected?

This affects PAN-OS versions 10.2 and greater.
Hotfixes are released for PAN-OS 10.2, 11.0 and 11.1 branches. Please refer to the security advisory for more information.

Is disabling telemetry an effective mitigation strategy?

In earlier versions of the advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.

How can I look for IoCs and research a potential compromise?

Please refer to the Unit42 Threat Brief (https://unit42.paloaltonetworks.com/cve-2024-3400/) and the Volexity blog post (https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execut...) for the latest information.

I applied the hotfix; how can I confirm I’m now “clean”?

Before rebooting into the hotfix it is recommended that you take a TSF and upload for analysis on any level of compromise and take the recommended remediation actions if appropriate
After remediating if needed, upgrading and booting into the hotfix, you can verify that you are running the fixed version of code by running the “show system info” CLI command and checking the sw-version field against what is published as fixed in the CVE.
You can upload the new TSF for analysis and confirmation that no further indicators of compromise are seen from the upgraded device.

Additional Resources on CVE-2024-3400:

BYUNGKWON-LEE · ‎04-12-2024

I upgraded to version 8833, but signature ID 95187 is not visible.

cciwa-admin · ‎04-12-2024

Yep, it was not there.

ipohlschneider · ‎04-12-2024

Same here

SomeSuch · ‎04-12-2024

I confirm, ThreatID 95187 not present in content update 8833-8682

B.Yeung · ‎04-12-2024

upgraded to 8833-8682, cannot find 95187

michelealbrigo · ‎04-12-2024

95187 is in the release notes, but searching for it in the profile editing section yields no results.

RyanMinty · ‎04-12-2024

Same issue as the above users 95187 is missing.

BYUNGKWON-LEE · ‎04-12-2024

app only shows the signature. However, the signature for app+threat is not visible.

hien.vo · ‎04-12-2024

Same issue there is no 95187 in PAN-OS content update 8833-8682

chagberg · ‎04-12-2024

it is visible in CLI, but not gui

show threat id 95187

This signature detects malicious payload in HTTPS request.

critical
Unknown
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention

Gustor · ‎04-12-2024

Apparently none of the new vulnerability signatures added to content release 8833 are visible, not only signature ID 95187.

Is everybody experiencing this same issue?

Gustor · ‎04-12-2024

I found the following article about missing threat ID's:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U27CAE

B.Yeung · ‎04-12-2024

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U27CAE

I follow this article to use cli to add, although after added gui still not seen 95187, but total exceptions increase one.

Gurminder_Birdee · ‎04-12-2024

anyone know why threat id 95187 is showing threat name 'Malicious HTTPS Request Detection' and not related to the actual command injection vulnerability ?

BYUNGKWON-LEE · ‎04-12-2024

I reverted the app and deleted 8833, then downloaded the app again and reinstalled it to solve the problem.

bachtiar.adiguna · ‎04-12-2024

Yeah, I think we all have same problem here, after updating the threat & apps, we couldn't find the Threat ID 95187, it's strange, pls let me know if there's an update

GarethBulleyGarethBulley · ‎04-12-2024

same issue with 95187 not showing

chagberg · ‎04-12-2024

did the same as @BYUNGKWON-LEE, and it now shows up in GUI.

JonasBeckerSOM · ‎04-12-2024

same here, 95187 not showing

itassetbenilde · ‎04-12-2024

same

MikeGeo · ‎04-12-2024

Same issue here. Signatures from this release not showing in GUI. Even though content version confirmed installed. Even tried to revert delete download and install again with the same result. Come on Palo!!

Stefan.s · ‎04-12-2024

@chagberg or @BYUNGKWON-LEE can you please share more in detail what you did? I tried it, but must have missed something, didn't work for me..

tarapitha · ‎04-12-2024

ID 95187 was not there right after applying 8833-8682, it took couple of minutes for it to appear in the list.

chagberg · ‎04-12-2024

I pushed first from Panorama.

It did not appear in the list but was visible in CLI.

Reverted to the previous one, and deleted 8833 on the FW.

Installed 8833 through CLI after running a "request content upgrade check" by running "request content upgrade download latest " and then "request content upgrade install latest "

It now appeared in GUI immediately.

chagberg · ‎04-12-2024

just got this from support

"If you are following TID protection based approach, please be aware of the following:
You may not see the TID when you check from the vulnerability profile in GUI due to a PAN-OS issue."

Stefan.s · ‎04-12-2024

@chagberg Thanks.

MikeGeo · ‎04-12-2024

@chagberg Thanks!!! This worked for me!!!

For others… downgrading, deleting, downloading again, installing again didn’t fix this signature not displaying in GUI but the CLI steps provided did!!

RLANG_2019 · ‎04-12-2024

They are there you have to go to the exceptions tab and check "show all signatures". You will then be able to see it.

HSDTechs · ‎04-12-2024

Signature is not visible in the GUI

PANcake · ‎04-12-2024

After installing the content update, the ID didn't show up on the GUI. Later I checked if it's shown on the CLI, show threat id 95187, and there it was. After CLI checkup it was also visible on the GUI. I don't know if CLI check populated it to the GUI, or if it came visible on GUI by itself, since there was few hours between update install and the moment I checked later.

SomeGuy1000 · ‎04-12-2024

I guess I am not super clear here, isn't this creating an any any rule and allowing traffic? would setting the action to drop and applying the profile achieve the same thing? Or at least specifying the globalprotect portal IP in the destination?

Hsingh · ‎04-12-2024

Hi Everyone,

If threat ID 95187 is still not showing after installing the Applications and Threats content version 8833-8682, please try logging out and logging back in, opening incognito mode, or restarting your management server.

How to Restart the Management server "mgmtsrvr" Process

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaGCAS

Regards,

Harpreet Singh

Gustor · ‎04-12-2024

i just waited a few hours and now the threat ID 95187 is showing up in the vulnerability protection profile under exceptions with "show all signatures".

i did use the CLI command earlier to show the threat ID but that didn't have any effect in the webUI as far as i know.

So patience is the key here? 🙂

PS.

It would be nice if PaloAlto Networks moderated or monitored this community and provided help and feedback on issues like this.

JonasBeckerSOM · ‎04-12-2024

log off and login worked for me to get 95187 visible

HSDTechs · ‎04-12-2024

@hsingh Thanks... should have thought to do this.

KuehnAnd · ‎04-12-2024

I don´t see this threat ID 95187 in the gui of PANOS version 10.2.8 but i can see it in version 10.1.12.
But when i use the cli command: show threat id 95187, i can see that this threat id is known by version 10.2.8 also.

CedricLeclere · ‎04-12-2024

same issue here, we can find it on our Palo but can't apply by Panorama. but we can see it on CLI....

Palo wake up please

pmauretti · ‎04-12-2024

@Gustor

Do you think Palo Alto can afford to pay someone to moderate? They are just a small $90B company (top 100 in the US) after all. 😁

Content is showing update here. Make sure you are showing all signatures and search by threat ID:

n230fs · ‎04-12-2024

@chagberg I had to follow that same process to get it to work. Thanks!

jpage386 · ‎04-12-2024

Hi,

I found I had to close out of all browser windows and re-launch the GUI and then the app was there. Must have been some sort of caching issue.

Claw4609 · ‎04-12-2024

Since I think it should be added here. Heres whats listed on the support portal:

Threat ID not seen after upgrading to the latest content version - 8833-8682 to remediate CVE-2024-3400.

This is due to the PANOS issue impacting all PANOS above 10.2.X.

The workaround is to use the below CLI command from config mode to check the Threat ID -

>config

# show predefined threats vulnerability 95187
95187 {
threatname "Malicious HTTPS Request Detection";
}

To configure the vulnerability profile, use severity "Critical" in the vulnerability profile from GUI, which will include TID 95187.

ddenayer · ‎04-12-2024

Anyone that follows step 4 is probably going to make things worse as it will remove any protections already in the Firewall policy. If you are already following the best practices and have your firewalls grabbing content updates regularly this is a non-issue.

Caveman · ‎04-12-2024

@SomeGuy1000 I had the same thoughts... It ultimately needs to apply to whatever rule you're allowing GP access I think. I have a zero trust for my WAN so I have to allow globalprotect explicitly, I will be adding the vulnerability profile here. Which I should have been from the start anyway.

AJS_Justin · ‎04-12-2024

Seeing lots of comments where new threat isnt visible, I had the same problem, logout did not resolve it. I ran the content update again via CLI and it did come through finally.

request content upgrade install sync-to-peer yes commit yes version latest

jocelynsloan · ‎04-12-2024

Do we configure step 4 as an Allow rule because the malicious traffic gets blocked by the security profile settings?

I'm a little confused why it is not a Deny rule (I don't want to block all my GP traffic, just the malicious stuff).

ddenayer · ‎04-12-2024

@SomeGuy1000 Security Profiles are only applicable to allow rules. Security Profiles have no bearing on what traffic hits the actual firewall policy, just what additional inspection the firewall does with the traffic once it matches a policy. What you should already have is a Firewall policy that allows traffic to the GlobalProtect interface or IP specifically and that policy should have a Security Profile Already associated with it that correlated to the Best Practices provided by Palo Alto. If that is being done (as it already should be) and you are doing content updates (dynamic updates) on a regular schedule, also provided through Best Practices. Then this vulnerability will have already been mitigated.

ddenayer · ‎04-12-2024

@jocelynsloan Security Profiles are what the firewall does with traffic after it takes the policy action of allow. Refer to my previous comment for what the best actions for this specific vulnerability are in a live environment. Palo Alto's guidance is good, but talk about this vulnerability in a vacuum, whereas the solution in a live environment is going to be very different for Step 4. Really all of this guidance only complicates the tasks for anyone that needs the guidance.

Matheus_Doria · ‎04-12-2024

I did the update in GUI and the ID 95187 didn't appear.
So I installed it again from CLI (without uninstalling):
command: request content upgrade install file panupv2-all-contents-8833-8682.tgz
Then 95187 appeared in the GUI.
🇧🇷

JimWeston · ‎04-12-2024

@SomeGuy1000 That is what I was thinking as well. The wording of this guide is really bad and why are they using version 9.x screenshots??? Come on Palo Alto, this is poor.

DevalS · ‎04-12-2024

All,

I am trying to go through this document, I am stuck on Step2. While creating the Vulnerability protection profile how does this applies to GlobalProtect Interface? I could not find that piece here. Can someone please explain?

TIA.

Unlock your full community experience!

Applying Vulnerability Protection to GlobalProtect Interfaces

Applying Vulnerability Protection to GlobalProtect Interfaces

FAQ: