Having ran a PCI DSS compliance scan it has come back that our Global Protect VPN setup is flagged as a failing vulnerability for Redirection via Arbitrary Host Header Manipulation.
We have it setup to redirect to azure to authenticate account details.
The solution they have given us to fix the issue is;
Implementing proper validation and sanitization of input headers is essential to mitigate the risks of Host header injection.
Whitelist domains, only allow permitted domains to be included in Host header.
How do we go about implementing this.
Ours doesn't even redirect that far out. It merely redirects HTTP to HTTPS for local authentication in order to view the links to download the GlobalProtect client(s). One very unclear recommendation I saw a month or two back was to filter (deny) HTTP traffic (with no other details) but this seemed like a great way to break legitimate traffic for end users if not implemented correctly.
We are having the same issue with our PCI compliance scans for credit card processing. We do this quarterly and it just started failing this time so I guess the compliance scans are now flagging this. I's not enough to disable the portal landing page. A redirect to a non-existent page still occurs and that is what is being flagged.
We tried explicitly blocking the redirect page, but the redirect still occurs. This seems like something Palo Alto needs to address if they have not already. We have a support case open so we'll see if someone has an answer.
It appears support has attempted to call me several times but the call is not being accepted/connected. That probably is not a PA issue however, as we've had many problems with our hosted VoIP provider. Still, my ticket detail references this community discussion topic with a direct link to it and specifically asks, "If you would, please respond to this post with directions on how to block HTTP requests ONLY for the GlobalProtect portal."
It would be nice for all if support could provide a guide here on how to work around this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!