You can mitigate this vulnerability by having traffic that routes to the management interface be scanned by a Vulnerability Protection profile which should be set to reset-both on High severity vulnerabilities. Since the firewall does not run IPS on the traffic destined to the management *port*, the recommendation implies that you would either force management traffic through the firewall, or migrate the WebUI management of the device to a data port for in-band management (where the Vulnerability Protection profile can scan the traffic) using an interface management profile, and/or, mitigate risk by restricting access to the management port. This is covered in our documentation at https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/getting-started/best-practices-for-securing-administrative-access.html
Other than the in-band solution, a few ways to force traffic through the firewall for out of band management are to: 1) Create a Layer 3 interface in a spare data port on a separate Management Zone, associate a management interface profile to it, and define all service routes to source from this interface. Define an intrazone security policy for the Management Zone with an associated Vulnerability Protection profile to have the traffic scanned. This solution requires a single spare data port.
or,
2) Create a vWire on two data ports, connect one port of the vWire to the management port and another to your management network switch. Define a security policy for the vWire with an associated Vulnerability Protection profile to have the traffic scanned. This solution requires two spare data ports. The advantage in this scenario is that it provides true management isolation and that for any required services that do not honor Service Routes, traffic will continue to source from the Management port.
By the way, 10.1.2 and 9.1.11 have already released.
... View more