Mysterious Palo Alto firewall reboots? You're not alone
Limited-edition hotfix to get wider release before end of month
Administrators of Palo Alto Networks' firewalls have complained the equipment falls over unexpectedly, and while a fix has bee prepared, it's not yet generally available.
Multiple customers have reported that some hardware running version 11.1.4-h7/h9 of PAN-OS, the software that powers Palo Alto’s firewalls, reboot at random moments.
"We have had three of our eight firewalls unexpectedly reboot in the past few months," observed one netizen.
We know having firewalls mysteriously spontaneously reboot is not ideal. These strange failures can be interpreted as something more malicious going on, such as some security bug exploitation or an intrusion, or something as frustrating as an intermittent hardware fault. A glitching firewall can therefore be taken as a sign of something serious and such false alarms are not what overworked and stressed defenders need.
Thankfully there's a fix. Palo Alto told The Register a patch is available albeit as a limited release at the moment, and that the restarts are caused by specific network traffic.
"The hotfix 11.1.4-h12, which resolves the unexpected reboot issue, was initially shipped with limited availability on January 31. This version was made available to customers requiring immediate resolution, accessible through their account team," a spokesperson told us.
"We are currently validating an additional unrelated regression fix in hotfix 11.1.4-h13. Our goal is to release this as a generally available (GA) update by February 20 or sooner. This will ensure all systems are fully optimized and secure with the latest updates."
- 1,000s of Palo Alto Networks firewalls hijacked as miscreants exploit critical hole
- Zero-day exploited right now in Palo Alto Networks' GlobalProtect gateways
- Palo Alto Networks tackles firewall-busting zero-days with critical patches
- Palo Alto Networks execs apologize for 'hostesses' dressed as lamps at Black Hat booth
Palo Alto declined to detail the traffic conditions that can cause its firewalls to reboot, citing security grounds, or the specifics of the fault itself.
Proofpoint wobbles... FYI, on Monday, Proofpoint's anti-spam service began rejecting legitimate emails, or blocking them altogether, according to users and one reseller.
"Proofpoint experienced a software issue that temporarily impacted the delivery of emails containing URLs," the vendor told The Register.
"A corrupted detection rule misclassified certain URLs, leading to quarantined messages. The issue was quickly identified and resolved. No messages were lost, and all systems are currently processing new emails normally. This was not a cyberattack, and emails without URLs were unaffected."
We reckon the restarts will be making some nervous because, as one of the big dogs in the firewall field, Palo Alto’s products are a target for criminals. Last November thousands of its firewalls were hijacked after a couple of serious flaws that required no privileges nor user interaction to exploit were found and subsequently abused. Attackers swooped and firewalls started crypto-mining within 24 hours of a fix being released.
Earlier in 2024 the Iranian state-sponsored Pioneer Kitten crew took aim at Palo Alto products - along with many others - leading to a joint warning from the FBI, CISA, and the Department of Defense Cyber Crime Center in the US. In April of the same year, the manufacturer patched a CVSS 10-out-of-10 command-injection flaw in its firewalls. ®