PAN-OS GlobalProtect Hardening Checklist: 12 Controls That Reduce Attack Surface Beyond Patching

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2026-0257 was not the first critical GlobalProtect vulnerability and will not be the last. PAN-OS GlobalProtect has been in the CISA KEV catalog multiple times across 2024, 2025, and 2026 because it sits at the network perimeter, handles authentication for high-value enterprise environments, and processes complex protocol logic that generates exploitable bugs.
Patching closes the specific CVE. It does not change the underlying attack surface. The controls in this checklist address the configuration weaknesses that make GlobalProtect a recurring target and limit an attacker's ability to leverage future vulnerabilities even before patches are available.
All commands below are for PAN-OS 10.1 and later unless noted. Verify against your specific version in the Palo Alto docs before applying in production.
Certificate Controls (Addresses CVE-2026-0257 Root Cause)
CVE-2026-0257 was exploited specifically because many deployments used the same SSL/TLS certificate for both HTTPS service and GlobalProtect authentication override cookies. An attacker who obtained the certificate could forge authentication cookies.
Control 1: Use a dedicated certificate for authentication override.
Verify current state:
show config running | match certificate
If the same certificate name appears under both ssl-tls-service-profile and authentication-override-cookie-encrypt-decrypt-cert, you are in the vulnerable configuration.
Fix: generate a dedicated self-signed certificate for authentication override:
request certificate generate ca no certificate-name GlobalProtect-Auth-Override
Then update the GlobalProtect gateway configuration to reference this new certificate under Device > Certificate Management > SSL/TLS Service Profile.
Control 2: Enable certificate-based client authentication.
Password-only authentication for GlobalProtect creates a single-factor entry point at the network perimeter. Configure machine certificate authentication as a second factor:
set deviceconfig setting global-protect certificate-profile GP-Client-Cert-Profile
Machine certificates issued by your internal CA validate that the connecting device is a managed, enrolled endpoint before user credentials are checked.
Control 3: Set certificate revocation checking.
Enable OCSP or CRL validation for all certificates used in GlobalProtect profiles:
set shared certificate-profile GP-Cert-Profile use-crl yes use-ocsp yes
Without revocation checking, a stolen certificate from a decommissioned device remains valid indefinitely.
Authentication and Session Controls
Control 4: Disable authentication override cookies if not required.
If your organization does not use SSO flows that require authentication override cookies, disable the feature entirely:
set network tunnel global-protect global-protect-gateway [gw-name] remote-user-tunnel-configs [config-name] authentication-override no
If you require authentication override for SSO, ensure Control 1 (dedicated certificate) is in place and set the cookie lifetime to the minimum required value.
Control 5: Enable multi-factor authentication on all GlobalProtect gateways.
Single-factor password authentication on a perimeter VPN is the dominant initial access pattern in CISA KEV entries for GlobalProtect. Configure MFA through Device > Authentication Profile, add a RADIUS or SAML factor, and assign it to the GlobalProtect gateway authentication profile.
Also enforce MFA on the GlobalProtect Portal, not just the gateway. Attackers who target the portal can obtain pre-logon configuration data that assists in gateway exploitation.
Control 6: Set session limits per user and per IP.
GlobalProtect does not enforce connection limits by default. An attacker running automated credential stuffing or authentication testing generates thousands of sessions. Set limits:
set network tunnel global-protect global-protect-gateway [gw-name] max-user 1
set network tunnel global-protect global-protect-portal [portal-name] client-config max-user 1
Adjust to match your organization's legitimate concurrent session requirements.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Agent Validation and Host Information Profile
Control 7: Enforce Host Information Profile (HIP) checks.
HIP allows GlobalProtect to verify endpoint security posture before granting network access. Endpoints without a current patch level, missing EDR, or with disabled disk encryption can be quarantined to a restricted network segment.
Create a HIP profile that checks for:
- OS patch level within the last 30 days
- Endpoint protection running and updated
- Disk encryption enabled
- No jailbreak or rooted device status
Assign this HIP profile to your Security policy rules so unverified endpoints get restricted access:
set rulebase security rules [rule-name] hip-profiles [HIP-profile-name]
Control 8: Validate GlobalProtect agent version before connection.
Old GlobalProtect agent versions may lack security fixes or telemetry features required for HIP checks. Configure minimum agent version enforcement:
In Panorama or the firewall UI: Network > GlobalProtect > Portals > Agent > Agent Configurations > set minimum version. Connections from agents below the minimum are rejected with a message directing users to update.
Control 9: Enable GlobalProtect Clientless VPN only for required users.
Clientless VPN (browser-based) does not support HIP checks and provides a broader attack surface than the full agent. If you use Clientless VPN, restrict access to only the specific user groups and applications that require it rather than making it available organization-wide.
Management Plane and Interface Controls
Control 10: Restrict management interface access to administrative subnets only.
The PAN-OS management interface (port 443 and 22) must never be reachable from the internet or untrusted networks. Every PAN-OS CVE that targets the management plane requires network reachability to exploit.
Verify current management interface restrictions:
show interface management
Configure a management profile that restricts access to your administrative jump hosts or management VLANs:
set network interface management permitted-ip [admin-subnet/mask]
Also verify that your perimeter firewall policy does not allow any traffic to the management IP from non-administrative sources. The management interface should be on a dedicated OOB management network, not the same segment as production traffic.
Control 11: Disable unused services on the management interface.
Review and disable any service not explicitly required:
set deviceconfig system service disable-telnet yes
set deviceconfig system service disable-userid-syslog-listener-ssl yes
set deviceconfig system service disable-userid-syslog-listener-udp yes
For HTTPS and SSH on the management interface, restrict to TLS 1.2 minimum and disable cipher suites below 128-bit:
set deviceconfig system ssl-tls-service-profile [mgmt-ssl-profile]
Control 12: Enable detailed authentication and session logging to your SIEM.
GlobalProtect authentication events, HIP report failures, and gateway session details are the primary detection surface for exploitation attempts. Ensure these log types are forwarded:
- Authentication: all success and failure events
- GlobalProtect: gateway and portal events
- System: all severity levels
Configure a Syslog server profile in Device > Server Profiles > Syslog and assign it to your log forwarding profile. At minimum, alert on: repeated authentication failures from a single IP, authentication success after a pattern of failures (credential stuffing success), HIP failures that then succeed (indicating a posture bypass), and sessions established from geographic anomalies relative to the user's historical baseline.
The bottom line
Patching CVE-2026-0257 removes one known exploit path. These 12 controls reduce the attack surface that generates recurring GlobalProtect CVEs: shared certificates, single-factor authentication, missing HIP enforcement, and exposed management interfaces. Controls 1 through 3 address the specific configuration weakness exploited in CVE-2026-0257 and should be implemented regardless of patch status. Controls 10 and 11 (management interface lockdown) are the highest-leverage controls for limiting the damage from any future PAN-OS management plane vulnerability. Implement them all, but start with those five.
Frequently asked questions
Does disabling authentication override cookies break single sign-on?
It depends on how your SSO is configured. Authentication override cookies are used specifically to preserve a user's authenticated session across GlobalProtect reconnections without re-authenticating to the identity provider. If you use SAML or Kerberos SSO for GlobalProtect, disabling cookies will force users to re-authenticate after each reconnect. For most organizations the user experience impact is acceptable given the security benefit. If you cannot disable cookies, implementing a dedicated certificate (Control 1) is mandatory.
What is the difference between the GlobalProtect Portal and the GlobalProtect Gateway?
The GlobalProtect Portal is the initial connection point: it authenticates users, delivers the GlobalProtect agent, and provides configuration to the agent about which gateways to connect to. The GlobalProtect Gateway is the tunnel endpoint that processes all VPN traffic after initial authentication. CVE-2026-0257 targeted the gateway's authentication override mechanism. Both require separate hardening configurations and both should have MFA enforced independently.
How do I know if my organization was already exploited via CVE-2026-0257?
Check GlobalProtect gateway authentication logs for authentication events that succeeded without valid user credentials, specifically sessions where the authentication type shows as 'cookie' rather than 'password' or 'certificate' that originated from unexpected source IPs. Also review network traffic logs for any connections from the GlobalProtect gateway's internal interface to internal systems during the exploitation window (May 17 onward for confirmed active exploitation). Rapid7 published specific IOC patterns for this vulnerability that can be queried against firewall and SIEM logs.
Do these hardening controls apply to Prisma Access as well as on-premises GlobalProtect?
Some controls apply to both; others are specific to on-premises PAN-OS deployments. Certificate controls (1-3), authentication controls (4-6), and agent validation (7-9) apply to both Prisma Access and on-premises GlobalProtect. Management interface controls (10-11) are specific to on-premises PAN-OS hardware and VM deployments. Prisma Access management plane security is Palo Alto Networks' responsibility. For Prisma Access, focus on controls 4 through 9 and verify your Prisma Access instance is on the current service version.
How do I know if my GlobalProtect VPN was exploited during the CVE-2024-3400 or similar critical PAN-OS vulnerability window?
Post-exploitation indicators for critical PAN-OS/GlobalProtect vulnerabilities: check the GlobalProtect gateway logs for unusual client IP addresses making authentication attempts during the vulnerability window; examine the PAN-OS management interface access logs for unexpected admin logins or configuration changes; look for new admin accounts created on the firewall; check for unexpected firewall policy changes (new NAT rules, security policy modifications) that would enable lateral movement; and examine the firewall's file system for unexpected files in /tmp or web-accessible directories using the PAN-OS CLI (less /var/log/pan/gpsvc.log). If you have EDR on systems reachable from the GlobalProtect IP range, check for lateral movement artifacts on those systems. Engage Palo Alto Networks support for forensic assistance if exploitation is suspected.
How do you validate that your GlobalProtect HIP checks are actually enforcing posture requirements and not just logging them?
HIP enforcement validation requires testing in enforcement mode rather than trusting policy configuration screens. The most reliable approach: create a test device that deliberately fails one HIP check requirement -- for example, temporarily disabling disk encryption or running an outdated OS patch level -- then attempt to connect to GlobalProtect and verify the device is placed in your restricted network segment rather than granted full access. Many organizations discover during this test that their HIP security policy rules are in monitor mode rather than enforce mode, meaning HIP reports are generated but never actually restrict access. In the PAN-OS Security policy rulebase, verify that the rules referencing HIP profiles have the action set to deny or the appropriate limited-access zone rather than allow-all. Also test the HIP check interval: by default, the GlobalProtect agent checks HIP compliance every 15 minutes, meaning a device that passes the initial check and then disables its endpoint protection retains full access for up to 15 minutes. For high-security environments, reduce the HIP check interval to 5 minutes in the Gateway configuration and verify that a mid-session compliance failure actually triggers a session restriction rather than waiting for the next connection attempt.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
