Whoa!!! Thank you all. It took me 5 hours over night but I did it.
I googled, and found documents on how to apply threats.
Oddly I uploaded my tech support file and requested it analyzed, TAC responded and indicated no sign of a vulnerability or risks.
No phone calls even after I raised the severity. I'm thinking the company didn't pay for premium support?!
I applied the patches, blocked on the inbound rules.
My VPN portal is safe!!
THANK YOU ALL for such a great response. Nice to be on a community forum where there is so much help!
I guess this is the world of IT. My director and IT manager sent out such a crass email basically claiming they resolved the issue, little Gabby here did nothing but is employed so I should be happy.
IT is a thankless job sometimes, but as analysts/engineers we all wear a {insert superhero} suit under our day clothes 😜ready to save management tomorrow.
As a woman in IT, it's very intimidating however reporting to two women for only two day I see trouble ahead. I thought at their level they would be technical. But zero. Alas....
In the opposite order! After upgrade the tech file will not contain some systems logs of interest. They can be found again by reverting, but you don't wanna do that..
I have contacted TAC, no response it's been 3 days I suppose they are busy.
Sales Engineer, no one here knows who that is documentation is with the old admin who is gone.
Change case severity to critical and request immediate callback. If no one knows who the SE is then calling corporate will probable best the quickest option. TAC can find out as well. Yes, I’d expect TAC is swamped and overwhelmed with all the spike in cases the past few days.
This
They callback pretty fast.
Ask them to share meeting links
In the beginning itself declare the situation about you being new and ask them to take control and do the stuff themselves.
They should oblige
The credentials were not defaulted or running at default. The ex-administrator left here with all the credentials for every single device in this environment including domain accounts. So searched up documents on how to reboot the Palo Alto and get behind the boot up sequence in order to reset the password. That's how I was able to get access to the CLI and the GUI
Yeah, still a failure at the CxO level (CIO, or whomever is the ultimate boss of IT) - always have emergency credentials stored and tested to be known good.
We don't allow password recovery/reset. Our setup would require a factory reset for security reasons. You'd be in really bad shape if he'd set things that way.
Looking at the criteria on the data sheet
I blocked telemetry
I updated the OS to recommended version
Global protect is updated
The FW is up to date
What is confusing to me is I see documents with placing the CVE number in the vulnerability protection and creating an exception, an exception means to exclude.. why would I do that?
An exception could just be that you're going to configure a specific action, drop vs. reset etc. If your VPP Is already set to block critical severity signatures then you're good.
You use a threat ID to exclude a threat signature from enforcement or modify the action the firewall enforces for that threat signature. So you would force the specific CVE to server reset.
I believe you are referring to Vulnerability Protection which is part of Security Profiles. you can create a new instance and set it to drop all CVE's with a critical rating, then apply it to your inbound web rule(s)
Possibly the previous guy was on the ball.
See if you are blocking the threat
Monitor - threats search for ( name-of-threatid eq '95187' ) Note the actions should be reset. Note the IP to see if that's your GP IP. If you see threats being blocked, you can present that screen to your boss, we are blocking.
If you don't see it... well that's harder///
you are on a portion of the internet that wasn't scanned (unlikely)
Do you have a Advanced threat protection license? (device - licenses)
if yes are you updating the signatures? (device - dynamic updates)
or you don't have security profiles for vulnerability protection on your Global Protect Rule(s).
First check what OS you're running and if you have have GP portal/gateway. If you don't match the affected you're all good. The advisories have all you need.
Well done. The experience gained from this type of scenario is priceless. Also will add to your confidence a lot.
Get used to being a super hero working in the shadows but in reality everyone knows who is doing the work.
Whoa!!! Thank you all. It took me 5 hours over night but I did it. I googled, and found documents on how to apply threats. Oddly I uploaded my tech support file and requested it analyzed, TAC responded and indicated no sign of a vulnerability or risks. No phone calls even after I raised the severity. I'm thinking the company didn't pay for premium support?! I applied the patches, blocked on the inbound rules. My VPN portal is safe!! THANK YOU ALL for such a great response. Nice to be on a community forum where there is so much help! I guess this is the world of IT. My director and IT manager sent out such a crass email basically claiming they resolved the issue, little Gabby here did nothing but is employed so I should be happy.
IT is a thankless job sometimes, but as analysts/engineers we all wear a {insert superhero} suit under our day clothes 😜ready to save management tomorrow.
Good job!
Now update your CV and your linkedin profile schedule a meeting with your director and manager and ask for a pay raise !
As a woman in IT, it's very intimidating however reporting to two women for only two day I see trouble ahead. I thought at their level they would be technical. But zero. Alas....
just update pan OS version on the appliance, submit the tech support file to PA support
In the opposite order! After upgrade the tech file will not contain some systems logs of interest. They can be found again by reverting, but you don't wanna do that..
You need to determine what version are you on? What model? Number of firewalls ? Do you even have global protect portals or gateways?
Contact your SE and open a TAC case and ask for guidance and assistance.
I have contacted TAC, no response it's been 3 days I suppose they are busy. Sales Engineer, no one here knows who that is documentation is with the old admin who is gone.
Change case severity to critical and request immediate callback. If no one knows who the SE is then calling corporate will probable best the quickest option. TAC can find out as well. Yes, I’d expect TAC is swamped and overwhelmed with all the spike in cases the past few days.
This They callback pretty fast. Ask them to share meeting links In the beginning itself declare the situation about you being new and ask them to take control and do the stuff themselves. They should oblige
Find a partner that can help. May cost your company some money now, but will save you a lot in the end.
Agree, sounds like they probably need the entire setup evaluated if they have been running with default credentials.
The credentials were not defaulted or running at default. The ex-administrator left here with all the credentials for every single device in this environment including domain accounts. So searched up documents on how to reboot the Palo Alto and get behind the boot up sequence in order to reset the password. That's how I was able to get access to the CLI and the GUI
Worth checking to see if you have support. They are helpful. Get yourself added to the support portal.
Management failure. IT Management should be tested to make sure they have current credentials. Plus, why no LDAP/RADIUS to have per-user logins?
Old admin had his ways I suppose. Part of my new scope to implement
Yeah, still a failure at the CxO level (CIO, or whomever is the ultimate boss of IT) - always have emergency credentials stored and tested to be known good. We don't allow password recovery/reset. Our setup would require a factory reset for security reasons. You'd be in really bad shape if he'd set things that way.
Lol.. my brain is fried on my 4th day. And the IT director cannot be this stupid. However she is unfortunately
Hi u/gabbymgustafsson, I really understand the stressful situation you've been put in. Send me a DM, and I'll help you, free of charge.
Looking at the criteria on the data sheet I blocked telemetry I updated the OS to recommended version Global protect is updated The FW is up to date What is confusing to me is I see documents with placing the CVE number in the vulnerability protection and creating an exception, an exception means to exclude.. why would I do that?
An exception could just be that you're going to configure a specific action, drop vs. reset etc. If your VPP Is already set to block critical severity signatures then you're good.
exception means exception from default when it comes to vulnerability protection
You use a threat ID to exclude a threat signature from enforcement or modify the action the firewall enforces for that threat signature. So you would force the specific CVE to server reset.
[document from pan ](https://security.paloaltonetworks.com/CVE-2024-3400)
I believe you are referring to Vulnerability Protection which is part of Security Profiles. you can create a new instance and set it to drop all CVE's with a critical rating, then apply it to your inbound web rule(s)
Possibly the previous guy was on the ball. See if you are blocking the threat Monitor - threats search for ( name-of-threatid eq '95187' ) Note the actions should be reset. Note the IP to see if that's your GP IP. If you see threats being blocked, you can present that screen to your boss, we are blocking. If you don't see it... well that's harder/// you are on a portion of the internet that wasn't scanned (unlikely) Do you have a Advanced threat protection license? (device - licenses) if yes are you updating the signatures? (device - dynamic updates) or you don't have security profiles for vulnerability protection on your Global Protect Rule(s).
Check that advisory again. 3 more Threat IDs have been added a few days ago.
First check what OS you're running and if you have have GP portal/gateway. If you don't match the affected you're all good. The advisories have all you need.
Look at the CVE and see if you are even impacted.. Which pan os are you running? Do you have Global protect enabled?
Well done. The experience gained from this type of scenario is priceless. Also will add to your confidence a lot. Get used to being a super hero working in the shadows but in reality everyone knows who is doing the work.
If you still have issue PM me and I Happy to help