Hey, guys, one of my clients want the POA (Plan of Action) for this vulnerability what should I check in the firewall. I checked the Traffic WAN TO WAN the security Profiles are attached properly but the management IP is pvt i access the firewall by the public. is there any Command through CLI I enable the threat ID given in the as the resolved PANOS IS unstable right now what should we do Now
You can enable the threat ID by CLI given in https://security.paloaltonetworks.com/CVE-2021-3050
By default, Severity Threat-ID 91439 is high and action is blocked.
You really don't have to take any action if you have the following:
(a) A vulnerability profile is attached to the traffic to your management IP (b) Your management IP traffic is passing through your firewall data-port (c) your vulnerability profile-> vulnerability rule -> high/critical severity is set to block or default.
Please note the firewall does not run IPS on the traffic destined to the management *port*, the recommendation is either to force management traffic through the firewall, or migrate the WebUI management of the device to a data port for in-band management using an interface management profile. Here is an article at https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/getting-started/best-practices-for-securi...
Other than the in-band solution, a few ways to force traffic through the firewall for out of band management are to create a spare data port on a separate Management Zone, associate a management interface profile to it, and define all service routes to source from this interface. Define an Interzone security policy for the Management Zone with an associated Vulnerability Protection profile to have the traffic scanned. This solution requires a single spare data port.
vWire can be another solution.
The fixed version of PAN-OS 10.1.2 and 9.1.11 is released.
If you want the CLI only, here are the steps assuming that you have a security rule, say rule-1, that is inspecting traffic to your web access to management, and that rule has vulnerability profile as default-base.
#set profiles vulnerability default-base threat-exception 91439 action reset-both
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!