This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who rated this post

kiwi
Community Team Member

‎02-02-2022 04:59 AM

Hi @ManojV5 ,

 

Could be a false positive as the secure flag is set when I check on my lab (PA-VM running 9.1 and 10.1) ... unfortunately I don't have a PA-820 to test but you can easily verify yourself with the command:

$ curl -k -i https://<yourIP> /php/login.php

 

Feel free to run the same command on your device and check the response (notice the secure flag is set in Set-Cookie in both my responses): 

 

AMSMAC60KYG8WL:~ kwens$ curl -k -i https://192.168.0.207/php/login.php >>>>> PAN-OS 9.1
HTTP/1.1 200 OK
Date: Wed, 02 Feb 2022 12:46:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-FRAME-OPTIONS: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
Strict-Transport-Security: max-age=31536000
Set-Cookie: PHPSESSID=95a09564ecf30d16912f68458c038b57; path=/; HttpOnly; SameSite=Strict; secure; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS


AMSMAC60KYG8WL:~ kwens$ curl -k -i https://192.168.0.75/php/login.php >>>>> PAN-OS 10.1
HTTP/1.1 200 OK
Date: Wed, 02 Feb 2022 12:41:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-FRAME-OPTIONS: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:
Strict-Transport-Security: max-age=31536000
Set-Cookie: PHPSESSID=5420dde555d4512fd0ba4a4129b57581; path=/; HttpOnly; SameSite=Strict; secure; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS

 

Unless they are checking for something else it seems to me that the secure flag is set correctly.

 

Hope this helps,

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks