Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
A vulnerability "HSTS Missing From HTTPS Server" is reported on Panorama on port TCP/28443

A vulnerability "HSTS Missing From HTTPS Server" is reported on Panorama on port TCP/28443

3125
Created On 01/14/23 02:10 AM - Last Modified 08/22/24 22:26 PM


Symptom


When scanning Panorama for vulnerabilities on port TCP/28443, a vulnerability is reported.
Example below: 
The remote HTTPS server does not send the HTTP Strict-Transport-Security header
HSTS Missing From HTTPS Server

Environment


  • Any Panorama
  • Supported PAN-OS
  • Vulnerability Scanning

Cause


  • Port TCP/28443 is used only for downloading content files from the Panorama by the firewalls and thus it is not a general access channel.
  • It's not possible to connect to the port without a client certificate signed by the built-in CA certificate of the Panorama.
  • For example, when we try to connect the port with a scanner tool such as Nessus, a connection error happens and the HSTS (HTTP Strict Transport Security) header is not coming as part of the error output.
  • As a result, the scanner tool flags it as a vulnerability.

Resolution


  1. This is not a Vulnerability.
  2. If we connect the port with the right client certificate, the strict header is seen correctly.
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 239,836
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000saRLCAY&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language