Version Minor Version Suggested Solution Cloud NGFW All No action needed. PAN-OS 12.1 12.1.5 through 12.1.6 Upgrade to 12.1.7 or later. 12.1.2 through 12.1.4-h* Upgrade to 12.1.4-h6 or 12.1.7 or later. PAN-OS 11.2 11.2.11 or later Upgrade to 11.2.12 or later. 11.2.8 through 11.2.10-h* Upgrade to 11.2.10-h7 or 11.2.12 or later. 11.2.5 through 11.2.7-h* Upgrade to 11.2.7-h14 or 11.2.12 or later. 11.2.0 through 11.2.4-h* Upgrade to 11.2.4-h17 or 11.2.12 or later. PAN-OS 11.1 11.1.14 or later Upgrade to 11.1.15 or later. 11.1.11 through 11.1.13-h* Upgrade to 11.1.13-h5 or 11.1.15 or later. 11.1.8 through 11.1.10-h* Upgrade to 11.1.10-h25 or 11.1.15 or later. 11.1.7 through 11.1.7-h* Upgrade to 11.1.7-h6 or 11.1.15 or later. 11.1.5 through 11.1.6-h* Upgrade to 11.1.6-h32 or 11.1.15 or later. 11.1.0 through 11.1.4-h* Upgrade to 11.1.4-h33 or 11.1.15 or later. PAN-OS 10.2 10.2.17 through 10.2.18-h* Upgrade to 10.2.18 or 10.2.18-h6 or later. 10.2.14 through 10.2.16-h* Upgrade to 10.2.16-h7 or 10.2.18 or later. 10.2.11 through 10.2.13-h* Upgrade to 10.2.13-h21 or 10.2.18 or later. 10.2.8 through 10.2.10-h* Upgrade to 10.2.10-h36 or 10.2.18 or later. 10.2.0 through 10.2.7-h* Upgrade to 10.2.7-h34 or 10.2.18 or later. All older unsupported PAN-OS versions Upgrade to a supported fixed version. Prisma Access 10.2 10.2.0 through 10.2.10-h* Upgrade to 10.2.10-h36 or later. Prisma Access 11.2 11.2.0 through 11.2.7-h* Upgrade to 11.2.7-h13 or later.

Note: With this fix, if the firewall is configured to use an authentication override cookie for the GlobalProtect Portal or Gateway, it will regenerate the cookie using a more secure method. Therefore, GP users will need to re-authenticate after a PAN-OS upgrade, even if a valid cookie is present. This is a one time requirement. Once they re-authenticate after the upgrade, the authentication override cookie and its validity will work as they do today.

This issue affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists. To check if authentication cookies are enabled follow the steps below: On the Portal: 1. Navigate to Network > GlobalProtect > Portals in the management interface. 2. Click on your Portal Name and go to the Agent tab. 3. Click on your Agent Configuration profile. 4. Go to the Authentication tab. 5. Generate cookie for authentication override or Accept cookie for authentication override options are checked. On the Gateway: 1. Navigate to Network > GlobalProtect > Gateways in the management interface. 2. Click on your Gateway Name and go to the Agent tab. 3. Click on your Client Settings profile. 4. Go to the Authentication Override tab. 5. Accept cookie for authentication override option is checked.

Customers can mitigate the risk of this issue by taking any of the following actions: * Use a dedicated certificate for Authentication Override cookies: Generate a new certificate exclusively for authentication override cookies and store it securely. Do not reuse the portal or gateway certificate, and do not share this certificate with other features or users. * Disable Authentication Override: Uncheck the Authentication Override options (for generating and accepting cookies) in the GlobalProtect portal and gateway configuration.

Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied.