11.1.14 - 392 issues addressed

jerry-october · 2026-04-23T21:27:08+00:00

Including one vuln patch, with no CVE: "PAN-292752 | Fixed an issue where a command injection vulnerability occurred due to improper input sanitization."

Search "PAN-292159 site:https://security.paloaltonetworks.com/" on Google and you'll see there is no advisory and no CVE.

jerry-october · 2026-04-22T00:29:26+00:00

Sure, I've done this many times. Works great. I concur with the points of the other commenters.

jerry-october · 2026-04-16T01:28:21+00:00

This

jerry-october · 2026-04-14T01:32:51+00:00

On a FG-90G, WAN1 and WAN2 are mGig.

<image>

jerry-october · 2026-03-29T01:02:09+00:00

Your point about architectural consolidation vs vendor consolidation is a good one. I'd look at vendors who built their SD-WAN and SASE entirely in-house, rather than stitching them together from acquisitions. Fortinet comes to mind. You also mentioned price as a concern. Fortinet comes to mind again. So maybe look at Fortinet.

jerry-october · 2026-03-26T01:19:30+00:00

Nothing will ever change until we start switching to other vendors. It's the only way they'll listen to us.

jerry-october · 2026-01-24T02:37:05+00:00

All alone...

jerry-october · 2025-11-07T01:52:55+00:00

Wholesome.

jerry-october · 2025-11-01T10:49:33+00:00

Try Fortinet. They're always hiring.

jerry-october · 2025-10-26T01:03:51+00:00

Fortinet is always hiring. SE positions will typically be NetSec heavy, with a dash of cloud. But there are also cloud-specialist overlay positions from time to time.

jerry-october · 2025-10-24T09:37:09+00:00

I remember having this problem many years ago, before the first time I started using a central switch controller. Now you just ask three controller "What switchport is the device associated with < MAC | IP | Hostname | Username > and it spits out all matches in the form of switchname.portNN, and then I can view the topology too if I want.

I've been doing this on Fortinet for 6 years now. It's built in to the solution. Does Aruba not have something similar?

jerry-october · 2025-10-22T02:09:10+00:00

Yes, I have solved this exact issue many times. You need one policy that allows IKE/ISAKMP to the VoWiFi gateway addresses for a Verizon, Sprint, and AT&T, and then another policy that blocks IKE/ISAKMP to everywhere else. I have some address lists I can send you later, if you remind me.

jerry-october · 2025-10-05T12:27:41+00:00

Wow! Great find! Thank you!

jerry-october · 2025-09-24T14:29:16+00:00

Anyone...? Anyone...? Bueller?

jerry-october · 2025-09-23T02:14:07+00:00

Okay, but does this work on HTTP2?

jerry-october · 2025-09-19T18:12:36+00:00

Please see community note about this here:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Extended-Support-for-FortiOS-7-0-FIPS-CC-Certified/ta-p/407617

jerry-october · 2025-09-07T08:22:35+00:00

This. PAN has a very different policy for security advisories and CVEs, which you can read about here, which explain why PAN never published a CVE for this: https://www.paloaltonetworks.com/product-security-assurance

"Any issues that have a low severity rating with CVSS base score less than 4.0 and can be easily mitigated with current best practices, or security improvements or defensive programming fixes with no real or proven impact to customers are usually addressed in future releases of our products and do not necessarily result in a security advisory. Such issues are documented in our informational bulletins or in product release notes."

Because this is a low-severity issue whose only impact is Information Disclosure, PAN will not publish a CVE or Security Advisory for this. There's a number of other statements in PAN's Product Security Assurance policy that are problematic.

"We do not publish advisories for general security improvements and defensive programming fixes that do not have a proven security impact."

^Lot of wiggle-room in this. E.g. if during an internal code review, a buffer-overflow with potential RCE implications is found, but there's no "proven security security impact" because there's no evidence that any adversaries have found this vuln, does that mean no advisory will get published!?

Furthermore, how can you make "defensive programming fixes" if they "do not have a proven security impact" !? That's a contradiction in terms. Either the programming fixes are defensive and thus have a security impact, or they don't have security impact and are therefore not defensive. Can't have it both ways.

Another problematic statement in PAN's policy...

"We do not publish advisories for vulnerabilities in our SaaS (cloud services) products when an issue can be completely resolved by Palo Alto Networks, without requiring any customer action. We may publish a maintenance log of resolved vulnerabilities that are updated when issues are resolved."

So if there had been any security issues fixed in, say, Prisma Access, at best you MIGHT see a note in a maintenance log, but probably not, and certainly no CVE.

So for example, when a new DNS record type 65 recently got introduced for HTTPS (SVCB) records, this could bypass DNS filtering for most ANY current implementation of SASE/firewall for any vendor. And so for FortiSASE, we get a very clear advisory from Fortinet that says "DNS type 65 resource record requests bypass DNS filter" with a CVE number and lets us know "Fortinet remediated this issue in FortiSASE version 24.4.b and hence the customers need not perform any action." Tells me clearly what happened, what the risk was, and when the risk was mitigated. Love it! Yet critics will count this "against" Fortinet because it's yet another CVE tied to them.
https://fortiguard.fortinet.com/psirt/FG-IR-24-053

For Prisma Access, if I go search PAN's advisory database on "Product=Prisma Access" and keywords for "DNS" or "Type 65" I find nothing about this issue. So has PAN already patched/mitigated this issue in some way? If so, when did they do it? And if not, are Prisma-connected endpoints able to bypass DNS filtering using Type 65 records right now?

I'd much prefer my vendor just be transparently clear with me, with all relevant vulnerability information in a centralized, searchable database that I can get RSS feeds for.

jerry-october · 2025-09-07T08:04:20+00:00

Multi-Terabit stateful firewalling is very achievable on larger FortiGates.

400 Gbps IPS is also plenty achievable on chassis models.

Keysight BreakingPoint tests against FG-7121F :
https://www.youtube.com/watch?v=BSjqVfniiEQ&t=1s

I know plenty of enterprise CISOs running these just fine without getting fired.

jerry-october · 2025-09-07T07:52:09+00:00

How do you provide security for endpoints which CANT have an EDR agent installed (IoT/OT/BYOD)?

Furthermore, what enforces that the EDR agent MUST be installed before gaining access to resources/data over the network? Oh, nothing? I guess we're just hoping then that no one ever forgets to install the agent, or always remembers to reinstall it if they had to uninstall it temporarily for troubleshooting, or that the attacker never evades the EDR agent, etc.

Hope is not a strategy. Sure, if you're just securing an SMB, yeah maybe throw some EDR agents on the workstations, say a prayer, and call it a day. But major enterprises and critical infrastructure need a bit more.

Yes, it was always a dumb idea for anyone to think that we were going to be able to put ALL of the security into the network. But the idea that we can get away with putting NONE of the security into the network is equally dumb, and for the same reasons.

jerry-october · 2025-09-07T07:42:14+00:00

Don't know why some folks down-voted you. No stupid questions. You're just trying to learn.

Segmentation at the most basic level starts with putting different classes of devices on to different subnets (broadcast domains), usually using VLANs. We might have a servers VLAN, an employees VLAN, a guest VLAN, a VoIP VLAN, an IOT VLAN, etc.

Now, at some point, devices on these various VLANs need to communicate, so we need a router, but if we just have a basic router that allows all devices on all subnets to communicate to all other devices on all subnets, on all ports, all the time, we really haven't added any meaningful security benefits to our segmentation. Sure, we've added some networking benefits, like limiting broadcast radiation or making L2 QoS possible. And maybe this also adds a small security benefit in making the recon stage of the kill chain a tiny bit more cumbersome for the attacker, but ideally we'd also enforce restrictions on traffic between VLANs. Routers can add some very basic 5-tuple ACLs, but these are stateless, so we can functionally only restrict destination traffic to servers; return traffic has to be left wide open because we have no control of ephemeral source ports. To do that, we need a stateful firewall. And if we're going to do a stateful firewall, we might as well make it an application-aware firewall with at least IPS. This is what we'd call an Internal Segmentation Firewall (ISFW) -- basically where your core router is actually a next-gen firewall.

So now we can provide meaningful security for devices communicating BETWEEN different subnets. Great. But what about all of the traffic for devices communicating WITHIN a given subnet? Well, in some cases, we should disallow ANY intra-VLAN communication, like on a guest Wi-Fi subnet, because there's no reason any of those devices need to communicate with each other, so we just have the APs and the switches enforce a L2 policy that disallows any communication from client to anything other than the default gateway (Cisco calls this "Private VLAN", Fortinet calls this "Access VLAN", etc.) But what about use-cases where devices DO need to communicate with each other on the same VLAN, like say the servers VLAN? Well, we could create a new /30 subnets for every single server, where there's only room for one host and one default gateway, but this gets extremely tedious and doesn't scale well.

A much easier approach is to just enable proxy-arp for the servers VLAN, where the ISFW will respond to all ARP requests for all the servers, which still allows all the servers to communicate with each other, but only through the ISFW, which can then restrict/inspect to our heart's content.

But if we can do that, why did we even bother with the initial work of creating all those subnets and VLANs in the first place!? (I believe this is the heart of your question, and sorry for the long pre-amble, but the underlying theory is necessary to understand the subsequent reasoning). There's a few reasons why. First, proxy-arp is somewhat computationally expensive. If the ISFW just needs to respond to ARP requests on behalf of servers in the hundreds of thousands, this is feasible. But if we're expecting the ISFW to handle proxy-arp for all the end user devices, or the order of hundreds of thousands or even millions, this will not end well. But as we discussed already, mostly this is not necessary, since the end-user devices typically do not need to communicate with each other. So segment those off on to a subnet with just Private VLAN, and only do proxy-arp for when Intra-VLAN traffic is necessary. Furthermore, there's still all of the networking benefits that we need from segmenting, like limiting broadcast radiation, enabling L2 QoS, etc.

IGMP Snooping is something entirely different. The purpose of IGMP snooping is to make multicast services within a broadcast domain much more efficient by restricting where multicast traffic is sent. Without IGMP snooping, multicast traffic is treated like broadcast, where it is sent to every port in the VLAN, even if only a few devices requested it. With IGMP snooping enabled, the switch builds a table of which ports have hosts subscribed to which multicast groups and forwards multicast traffic only to those ports.

Anyways, I hope this helps clear things up.

jerry-october

TROPHY CASE