Palo Alto Networks Knowledgebase: Stopgap Mitigations Against PAN-SA-2016-0003, PAN-SA-2016-0004, PAN-SA-2016-0005
Stopgap Mitigations Against PAN-SA-2016-0003, PAN-SA-2016-0004, PAN-SA-2016-0005
Created On 09/26/18 13:39 PM - Last Updated 09/26/18 14:00 PM
Proper configuration of a PAN-OS device is required to successfully detect against and prevent exploitation of the vulnerabilities detailed in PAN-SA-2016-0005, PAN-SA-2016-0004, and PAN-SA-2016-0003.
While the recommended action by Palo Alto Networks is to patch PAN-OS devices to the proper version levels specified in the security advisories, emergency content release 563 contains signatures to help protect PAN-OS.
Here are the threat IDs and names of these signatures:
The solution will be broken into small steps:
Content installation for content package 563
Configuration of a vulnerability protection profile to take proper action against signature pattern match (Reset-both)
Assign the configured vulnerabiltiy protection profile to a security rule
Configuration of Inbound SSL Decryption, in the event that a dataplane interface is used for device management, to prevent against PAN-SA-2016-0003.
1. Content Installation for Content Package 563
- Ensure that content update 563 is downloaded and installed.
2. Configure a Vulnerability Protection Profile
This section will briefly describe how to configure a vulnerability protection profile to take preventative action against detection of the threat IDs associated with these security advisories (38902, 38903, and 38904).
There are two options for this portion of the configuration:
- The vulnerability protection profile "strict" is configured to take a RESET-BOTH action against detection of high severity signatures; 38902, 38903, and 38904 are high severity signatures. As such, this profile can be used on the security rule that matches inbound traffic destined for the firewall.
- A custom vulnerability protection profile with actions for these three signatures set to RESET-BOTH. Please reference this link for assistance with this process.
3. Assign the Vulnerability Protection Profile to a Security Rule
This section will describe how to assign the previously configured vulnerability protection profile to a security rule which matches the traffic destined for global protect, and any dataplane interface being used for management.
For this exercise, let us assume that Global Protect is hosted on an interface that is homed on the "Untrust" zone and the VPN traffic will also source from the "Untrust" zone.
To protect against exploitation to the Global Protect vulnerabilities defined in advisories PAN-SA-2016-0005, PAN-SA-2016-0004, the vulnerability protection profile must be assigned to a security rule that inspects "Untrust" zone to "Untrust" zone traffic.
In the above screenshot, the icon under the PROFILE column is the vulnerability protection profile "strict" referenced in our previous step. Source zone is "Untrust" and destination zone is "Untrust."
In the event that a dataplane interface is used for device management, the following additional steps should be taken:
4. Configure Inbound SSL Decryption:
Please reference the following documents to assist in configuring inbound SSL decryption: