Hello @FarhanKoujalgi
You can enable the threat ID by CLI given in https://security.paloaltonetworks.com/CVE-2021-3050 By default, Severity Threat-ID 91439 is high and action is blocked. You really don't have to take any action if you have the following: (a) A vulnerability profile is attached to the traffic to your management IP (b) Your management IP traffic is passing through your firewall data-port (c) your vulnerability profile-> vulnerability rule -> high/critical severity is set to block or default.
Please note the firewall does not run IPS on the traffic destined to the management *port*, the recommendation is either to force management traffic through the firewall, or migrate the WebUI management of the device to a data port for in-band management using an interface management profile. Here is an article at https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/getting-started/best-practices-for-securi...
Other than the in-band solution, a few ways to force traffic through the firewall for out of band management are to create a spare data port on a separate Management Zone, associate a management interface profile to it, and define all service routes to source from this interface. Define an Interzone security policy for the Management Zone with an associated Vulnerability Protection profile to have the traffic scanned. This solution requires a single spare data port.
vWire can be another solution.
The fixed version of PAN-OS 10.1.2 and 9.1.11 is released.
Thanks
Himani
... View more