Strata™ Cloud Manager shows you which vulnerabilities affect a given firewall and PAN-OS version to help you decide whether you should upgrade. Common Vulnerabilities and Exposures (CVE) incidents in Strata™ Cloud Manager alert you to known vulnerabilities on your managed devices. The system generates these incidents 24 hours or more after the initial CVE disclosure, triggering only after it receives the next telemetry data transmission from the device to assess its vulnerability status. Strata Cloud Manager analyzes the features that have been enabled to determine the devices impacted by the CVE. Strata Cloud Manager uses the feature-based vulnerability detection, meaning if you have not enabled the relevant feature on the firewall, the system does not raise an incident for it.

Navigate to Incidents > Incidents and select the PAN-OS Known Vulnerability incident to see the latest security advisories impacting the firewall that raised the incident. Select Vulnerabilities in this PAN-OS version to view the affected feature for a vulnerability in the Feature Affected column. This helps you to decide whether to upgrade a firewall based on the vulnerability and its impact on your enabled feature. If a CVE is not associated with a feature, then the value under Feature Affected is blank. This type of CVE affects the firewall with the specified model or version.

By default, the PAN-OS Known Vulnerability incident shows all of the vulnerabilities in the PAN-OS version on the device. However, if you enabled Product Usage telemetry on the firewall, you can choose to view only the vulnerabilities that affect the particular firewall based on its enabled features. That way, you can better understand which vulnerabilities are a concern for the firewall and make a more informed decision about whether to upgrade.

You can also use the PAN-OS CVEs dashboard that shows you the number of devices impacted by a specific vulnerability based on the features that have been enabled on devices. Strata Cloud Manager analyzes the features that have been enabled to determine the devices impacted by the CVE. The following task shows how to assess vulnerabilities that impact devices and generate upgrade recommendation to fix the vulnerabilities.

This task shows how to assess vulnerabilities that impact devices and generate upgrade recommendation to fix the vulnerabilities.