This blog has been updated to include additional detail from the vendor.

During NSS Labs’ NGIPS 5.0 testing, the Palo Alto Networks PA-5250 9.0.3-h2 device experienced an abnormal state where the chunking traffic decoder (CTD) was not engaging properly in our lab environment. This state led to the device being unable to block exploits that used numerous network evasions that relied on chunking techniques.

Palo Alto Networks engineers discovered the issue was caused by a corruption of the content cache. Palo Alto Networks engineers also determined that the abnormal state could be resolved by a clearing a persistent (surviving power cycles) content cache used in the device. Palo Alto Networks has published a customer advisory note that provides details on the issue here:

Enterprise Guidance:
  • Enterprises with concerns can remedy the issue using the guidance in the provided link above.
  • Palo Alto Networks claims that automatic updates address the issue without the need for user intervention.
  • Advice is provided at the Palo Alto Networks advisory link for customers wanting to take extra precautions.

After implementing this fix, NSS Labs was able to determine that all of the tested network evasions that used chunking were subsequently blocked. Palo Alto Networks also informed NSS Labs that the remaining network evasion that was not blocked can be blocked if the non-default Threat ID 54244 is enabled in the device. NSS Labs looks forward to providing validation details in a follow-on test.

NSS is committed to providing enterprises with actionable, accurate data. We hope enterprises can use this information to ensure they are properly protected when using the Palo Alto Networks PA-5250 9.0.3-h2 device.

In October 2019, NSS published the results of our NGIPS v5.0 Group Test, which included five vendors. Test reports are available to subscribers to our Library.