1. Home
  2. Web App Vulnerabilities
  3. How to remediate – Palo Alto Networks PAN-OS Firewall/Panorama Web UI Detection
Searching...

How to remediate – Palo Alto Networks PAN-OS Firewall/Panorama Web UI Detection

Contents

1. Introduction

The web interface for a Palo Alto Networks PAN-OS firewall or Panorama was detected on the remote host. Panorama is used to manage multiple firewalls centrally. Having this interface accessible from outside your network creates an attack surface. Successful exploitation could allow attackers to compromise your firewalls and wider network, impacting confidentiality, integrity, and availability of data.

2. Technical Explanation

The vulnerability occurs because the web interface is exposed on a network connection. An attacker can attempt to access this interface remotely. This allows them to try default credentials or known exploits against the PAN-OS software. A typical attack involves brute-forcing login attempts, followed by command execution if successful.

  • Root cause: The web interface is accessible from an external network without sufficient protection.
  • Exploit mechanism: An attacker uses HTTP(S) to connect to the firewall’s web interface and attempts to log in with default or stolen credentials, then executes commands.
  • Scope: Palo Alto Networks PAN-OS firewalls and Panorama appliances are affected.

3. Detection and Assessment

You can confirm exposure by checking network connectivity and the version of PAN-OS running on your firewall. Scanning tools can also help identify open ports.

  • Quick checks: Use ping to check basic reachability, then use a web browser to access the interface at its default address (usually HTTPS://).
  • Scanning: Nessus plugin ID 1bd9c811 and 0cc6d903 can detect this issue. These are examples only; other scanners may also be suitable.
  • Logs and evidence: Check firewall logs for connection attempts to the web interface from unexpected sources.
ping

4. Solution / Remediation Steps

The primary solution is to restrict access to the web interface. This can be done through network controls or by disabling remote access.

4.1 Preparation

  • Ensure you have console access in case of issues. A roll back plan is to restore from the previous snapshot.
  • Changes should be approved by a senior network engineer or security team member.

4.2 Implementation

  1. Step 1: Create a firewall rule blocking external access to ports used by the web interface (typically HTTPS port 443).
  2. Step 2: If remote access is not required, disable the web interface entirely using the PAN-OS CLI or GUI.

4.3 Config or Code Example

Before

# No rule blocking access to HTTPS port 443 from external networks

After

# Rule blocking all external access to HTTPS port 443
set rulebase rules "Block External Web UI" action deny
set rulebase rules "Block External Web UI" source any
set rulebase rules "Block External Web UI" destination /32
set rulebase rules "Block External Web UI" service https

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this type of issue.

  • Practice 1: Least privilege – restrict access to services only to those who need it, reducing the impact if compromised.
  • Practice 2: Network segmentation – isolate firewalls from untrusted networks to limit exposure.

4.5 Automation (Optional)

Automation is not recommended for this specific fix due to the risk of locking yourself out.

5. Verification / Validation

  • Post-fix check: Use ping (should succeed) followed by attempting to connect via a web browser (should fail).
  • Re-test: Re-run the quick checks from section 3; you should no longer be able to access the interface.
  • Smoke test: Verify that internal access to the firewall’s management interface remains functional.
  • Monitoring: Monitor firewall logs for any failed connection attempts to the web interface from external sources.
ping

6. Preventive Measures and Monitoring

Regular security assessments and policy updates can help prevent this issue.

  • Baselines: Update your firewall baseline configuration to include rules blocking external access to unnecessary services.
  • Pipelines: Include network scans in your CI/CD pipeline to identify open ports and exposed interfaces.
  • Asset and patch process: Review firewall configurations regularly as part of a change management process.

7. Risks, Side Effects, and Roll Back

Blocking access to the web interface may disrupt legitimate remote administration if not planned correctly.

  • Roll back: Remove the firewall rule created in step 4.2, and re-enable the web interface if it was disabled.

8. References and Resources

Links to official advisories and documentation.

Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles