Strata™ Cloud Manager shows you which vulnerabilities affect a given firewall and PAN-OS version to help you decide whether you should upgrade. Common Vulnerabilities and Exposures (CVE) incidents in Strata™ Cloud Manager alert you to known vulnerabilities on your managed devices. The system starts detecting these issues within an hour of the vulnerability disclosures, and may take up to 24 hours across all the devices in your deployment. These detections are triggered by relevant telemetry data from the device needed to assess its vulnerability status. This capability is a feature-based vulnerability detection, meaning that if you have not enabled the relevant feature on the firewall where the vulnerability exists, the system does not raise an incident for it. For this capability, Strata Cloud Manager analyzes the enabled features to determine which devices are impacted by the CVE.

Navigate to Incidents > Incidents and select the PAN-OS Known Vulnerability incident to see the latest security advisories impacting the firewall that raised the incident. Select Vulnerabilities in this PAN-OS version to view the affected feature for a vulnerability in the Feature Affected column. This helps you to decide whether to upgrade a firewall based on the vulnerability and its impact on your enabled feature. If a CVE is not associated with a feature, then the value under Feature Affected is blank. This type of CVE affects the firewall with the specified model or version.

By default, the PAN-OS Known Vulnerability incident shows all of the vulnerabilities in the PAN-OS version on the device. However, if you enabled Product Usage telemetry on the firewall, you can choose to view only the vulnerabilities that affect the particular firewall based on its enabled features. That way, you can better understand which vulnerabilities are a concern for the firewall and make a more informed decision about whether to upgrade.

You can also use the PAN-OS CVEs dashboard that shows you the number of devices impacted by a specific vulnerability based on the features that have been enabled on devices. Strata Cloud Manager analyzes the features that have been enabled to determine the devices impacted by the CVE. The following task shows how to assess vulnerabilities that impact devices and generate upgrade recommendation to fix the vulnerabilities.

This task shows how to assess vulnerabilities that impact devices and generate upgrade recommendation to fix the vulnerabilities.