This document discusses the configuration steps for applying a vulnerability protection security profile to GlobalProtect interface, in order to protect the GlobalProtect services from attacks using published product security vulnerabilities.
In customer deployments that use GlobalProtect for remote access, customers often configure and apply security profiles such as vulnerability protection to network traffic between VPN clients and internal network zones.
There are also certain circumstances where a customer may want to apply a vulnerability protection profile to traffic hitting the GlobalProtect portal and gateway services, which are served by the firewall and not just traffic going through the firewall into the network. For example, there may be situations where a customer wants to block attempted attacks before they are able to upgrade PAN-OS to a patched version. This can be accomplished by applying a properly configured vulnerability protection profile to a firewall rule that is configured to apply to traffic hitting the GlobalProtect portal and gateway services hosted by the firewall.
Note: This document uses CVE-2019-1579 as an example in this how-to guide, where vulnerability protection signature #54582 was released in content version 8173*, released on 7/18/2019 to detect and prevent attempted attacks. The vulnerability affected GlobalProtect portal and gateway services. This document assumes that the firewall is already configured and used as a GlobalProtect portal and/or gateway service.
*Note: Additional protections for CVE-2019-1579 were released with Content version 8180
Step 1: Ensure that you have the latest content update installed that includes the relevant threat protection
Make sure the content version that you are running includes the threat signature(s) that need to be applied to the GlobalProtect interfaces in order to block the attack.
In the example used in this document, the minimum content version required is 8173, which was released on 7/18/2019.
Step 2: Determine the correct zone for GP portal and GP gateway
If a GP Portal is configured, go to Network > GlobalProtect > Portals and find the portal and associated interface. In the example below, you will see we are using GP-Auto-Portal1 as an example. The interface that the portal connects to is shown to be ethernet1/1.
Determine the associated zone for the GlobalProtect portal that includes the interface found in the previous step. Go to Network > Interfaces > Ethernet. In the example below, we can see that interface ethernet1/1 is in GP-untrust zone.
If a GlobalProtect gateway is configured, go to Network > GlobalProtect > Gateways and find the gateway and associated interface. In the example below, you will see we are using GP-GW1 as an example. The interface is loopback.1.
Determine the zone associated with the GlobalProtect gateway. Go to Network > Interfaces > Loopback. We can see that interface loopback.1 is also in GP-untrust zone. Now we know the zone for the portal and gateway, which we need to protect with a vulnerability protection profile.
Step 3: Modify or Create a New Vulnerability Protection Profile
Configure a new or existing vulnerability profile that is specifically configured to block the relevant threat impacting the GlobalProtect services. Go to Objects > Security Profiles > Vulnerability Protection. We recommend as a best practice to simply set the blocking action of “reset-server” for all critical severity signature triggers.
Alternatively, you can add an exception specifically for the relevant signature (#54582 in this case) to configure the reset-server action for this signature when it triggers (see below).
Step 4: Create a firewall security rule
After modifying or creating a new vulnerability protection object, create a security rule to apply the vulnerability protection profile to. Go to Policies > Security. Create a new policy. In this example, we name it “block_gp_vulnerability.” The source zone should be “any” and the destination zone is the GlobalProtect gateway and/or GlobalProtect portal zones we found in step 1. Assign to this rule the Vulnerability Protection Profile you modified or created in step 2.
Step 5: Commit
Commit the changes to apply the new Vulnerability Protection Profile to the Security Rule protecting the GP Portal and/or Gateway. Any attempted attacks against the GlobalProtect services that attempt to use this specific vulnerability will be blocked and logged in the threat log.
... View more