Security Policy for devices impacted by PAN-SA-2019-0011

Security Policy for devices impacted by PAN-SA-2019-0011

Created On 05/14/19 18:20 PM - Last Modified 07/19/22 23:14 PM


Described below is the policy to block ports 28869/28870 as described in Security Advisory PAN-SA-2019-0011.

Once installed the device will block inbound connections to ports 28869 and 28870. 


The policy provided is intended for use on impacted software versions:

PAN-OS 8.0.8 - 8.0.13
PAN-OS 8.1.0 - 8.1.3

Please note this is an interim solution intended for use until a more recent software version with applicable updates can be deployed to your devices.

  1. Create Service Objects: (Objects > Services > Add)
Create a new Service Object populating the "Destination Port" information with "28869,28870"
User-added image
Example Object:
  1. Optional - Create IP address Objects for desired interface(s) (Objects > Addresses > Add)
Create a new Address Object and populate the IP Netmask field with the interface IP. 
User-added image

Alternatively, the IP address can be entered to the security rule covered below as the Destination Address without creating an Address Object.
  1. Create Security Policy Rule to block Traffic
User-added image
  1. Commit the policy to the device.

  • Print
  • Copy Link