* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Cloud Security](https://www.paloaltonetworks.com.au/blog/cloud-security/)
* [Data Detection and Response](https://www.paloaltonetworks.com.au/blog/cloud-security/category/data-detection-and-response/)
* Redshift Security: Attack...

# Redshift Security: Attack Surface Explained

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fredshift-security-attack-surface-explained%2F)  
[](https://twitter.com/share?text=Redshift+Security%3A+Attack+Surface+Explained&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fredshift-security-attack-surface-explained%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fredshift-security-attack-surface-explained%2F&title=Redshift+Security%3A+Attack+Surface+Explained&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/cloud-security/redshift-security-attack-surface-explained/&ts=markdown)  
\[\](mailto:?subject=Redshift Security: Attack Surface Explained)  
Link copied  
By [Ofir Shaty](https://www.paloaltonetworks.com/blog/author/ofir-shaty/?ts=markdown "Posts by Ofir Shaty") and [Ofir Balassiano](https://www.paloaltonetworks.com/blog/author/ofir-balassiano/?ts=markdown "Posts by Ofir Balassiano")  
Apr 05, 2024  
8 minutes  
[Data Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/data-detection-and-response/?ts=markdown)  
[Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown)  
[Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown)

![Redshift Security: Attack Surface Explained](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/redshift-security-attack-surface-explained.png)

In our previous two posts, [Access and Data Flows](https://www.paloaltonetworks.com/blog/prisma-cloud/redshift-inside-out-part-1) and [Data Backups and Encryption,](https://www.paloaltonetworks.com/blog/prisma-cloud/configuring-aws-redshift-protect-data/) we discussed security best practices to implement [least-privileged access](https://www.paloaltonetworks.com/cyberpedia/what-is-least-privilege-access) on Redshift and reduce the static risk associated with your sensitive data.

In today's post we'll show you how an attacker can exploit security risks to achieve [lateral movement](https://www.paloaltonetworks.com/cyberpedia/what-is-lateral-movement) and privilege escalation. This allows the threat actor to leverage weak permissions and reach services and data sources they didn't have access to initially.

## What Is an Attack Vector?

An attack vector is the path that an attacker takes along the cyber kill chain to fulfill their mission. The cyber kill chain is a common way to split the attack into stages. It helps in understanding attacks and how to prevent them.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-2.jpeg)

## IAM Role Association

IAM role association allows Redshift to perform strong capabilities like copy, unload, query and analyze data from external sources. Along with those options, the IAM role carries a risk of exposing [sensitive data](https://www.paloaltonetworks.com/cyberpedia/sensitive-data).

We have observed many cases where overly permissive roles are attached to Redshift clusters, exposing sensitive data assets and their content to anyone with basic privileges.

## Redshift Built-In Role

In the "create cluster" page, AWS allows you to create the default role for the Redshift cluster. The default role contains incredibly powerful permissions, with the attached policy "AmazonRedshiftAllCommandsFullAccess".

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-3.png)

The "AmazonRedshiftAllCommandsFullAccess" is a powerful policy containing excessive privileges that can lead to privilege escalation and lateral movement, even when created with the "No addition S3 bucket" option. We'll show what risks can arise by allowing this policy later.

Next, we will demonstrate how an attacker who gained access to a very basic principal can use this default policy and perform S3 and Glue operations, invoke Lambdas, access Kinesis, fetch secrets to connect to RDS, Athena and Hive Metastore - all this when only given privileges to create a cluster ("redshift:CreateCluster").

The following flow diagram shows the possible attack paths:‍

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-4.gif)

## Basic AWS Principal

For the demo, we're using a basic [AWS principal with a policy attached](https://gist.github.com/OfirBalassiano/183b7538d34c9fcdfcaf19e361164ef7) that allows:  
'redshift:CreateCluster', 'redshift:DescribeClusters', 'iam:PassRole', 'ec2:Describe\*'

**Pro Tip**

It's recommended to know exactly which AWS principals have the permissions above, as it can potentially lead to unexpected access to other services.

Attackers that gain access to AWS with the above low-privileged principal can create a redshift cluster:  
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-5.png)

## Performing Reconnaissance with the COPY Command

The COPY command allows the Redshift cluster to load data from external sources like S3, DynamoDB, EMR and EC2. The following flow diagram shows the possible attack path when using the COPY command:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-6.gif)

In this section we will focus on the S3 bucket. The default role contains the following permissions, which eventually allow an attacker to "list", "create", "delete", and "get objects" from buckets containing "redshift" in their name:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-7.png)

‍With access to the newly created redshift cluster, it is necessary to traverse over all the files in the S3 bucket to choose the desired files to exfiltrate. The permissions in the default role give the attacker the ability to do so.

By using the COPY command with \<bucket name\> instead of \<file name\>, an attacker can perform reconnaissance on the bucket to extract all the files in it:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-8.png)

To make Redshift ignore encoding and length errors the attacker can use the 'TRUNCATECOLUMNS' and 'encoding UTF16BE' properties.

By querying the "STL\_LOAD\_COMMITS" table, the attacker can find a list of all the filenames in the bucket:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-9.png)

‍Using the COPY command, they can list all the files in that bucket.

If an attacker tries to list all files in the bucket with their basic AWS principal, and not from Redshift, they will result with an "Access Denied" error:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-10.png)

‍Now that the attacker has the list of files in the bucket it is possible to exfiltrate them one by one with the correct encoding.

## Structured Data Exfiltration with COPY Command

Loading the "employee.csv" file from the S3 bucket above:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-11.png)

Once the data is loaded, the attacker can query the 'exfil' table to get the data:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-12.png)

‍If the attacker will try to download the file with the low-privilege user, the command will result with an error:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-13.png)

## Unstructured Data Exfiltration with COPY Command

Next, the attacker can also exfiltrate unstructured data like a pdf file. To do so, they can add some properties like 'ACCEPTINVCHARS', 'BLANKSASNULL', 'IGNOREBLANKLINES' to make the COPY command succeed:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-14.png)

The attacker can query the output table to get the data:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-15.png)

‍To make this output human readable, the attacker can copy the content and save it as a pdf file.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-16.png)

**Pro Tip**

It's possible to detect suspicious usages of the COPY command by continuously monitoring the "STL\_LOAD\_ERRORS" and "STL\_LOAD\_COMMITS" tables.

## Privilege Escalation Using the CREATE EXTERNAL SCHEMA Command

Using the CREATE EXTERNAL SCHEMA command, which allows querying from external sources, an attacker can escalate privileges and access external data services like Glue, Athena, Kinesis, RDS and Hive.  
The following flow diagram shows the possible attack paths:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-17.gif)

To understand how it's possible, let's look at some of the privileges of the default role:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-18.png)

‍ListSecrets \& GetSecretValue allow users in Redshift to connect to remote sources like RDS, Athena and Hive Metastore. The Redshift cluster gets the secret from the Secret Manager and opens a connection to the external service.

Redshift's default role has interesting permissions for Glue as well. Glue has many usages, especially as an ETL pipe to move data from and to multiple sources (S3, Kinesis or Kafka). The permissions in the default policy:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-19.png)

‍It means that the Redshift cluster has permission to create and drop databases, get or delete tables in Glue, and more.

The default role allows performing actions on S3 buckets containing "redshift" in their name, but since Glue is not restricted by that policy, an attacker can leverage the Glue service to bypass name restriction to reach other S3 buckets that don't contain the string "redshift" in their name.

The following flow diagram shows the possible attack paths:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-20.gif)

In this case Glue database "attack-redshift" with the table "lake" that maps to S3 bucket called "ofir-data-lake":

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-21.png)

Attackers can access Glue objects from Redshift with the following command:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-22.png)

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-23.png)

At this point, the attacker managed to access the S3 bucket files that weren't accessible before.

If the attacker tries to access the same file with the COPY command it will result with an error:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-24.png)

## Invoking Lambda Functions with CREATE EXTERNAL FUNCTION

Redshift's default role also has permission to invoke any lambda function containing the string "redshift":

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-25.png)

The following flow diagram shows the possible attack paths:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-26.png)

If an attacker tries to invoke the lambda function "lateral\_movement\_with\_redshift\_lambda" with the low-privilege AWS principal, it will result with permission denied:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-27.png)

If the attacker tries to do the same from within Redshift:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-28.png)

The lambda will be invoked successfully:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-29.png)

## Extracting Temporary Credentials from EC2:

A smart attacker will follow the golden path and will try to extend the grip. Using the COPY command, an attacker can execute commands over SSH on EC2, which in turn will allow them to extract the credentials attached to that instance.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-30.png)

Prerequisites:

* EC2 should have an IAM role attached
* EC2 authorized\_keys should contain the Redshift cluster public key
* EC2 should use the IMDS
* Manifest file should be uploaded to a location in S3

To extract EC2 credentials, an attacker can take advantage of the Instance Metadata Service (IMDS). By querying the IMDS it's possible to retrieve the temporary credentials attached to the instance along with other metadata information.  
To do so, the attacker can execute the following command in the EC2:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-31.png)

The attacker can upload the following manifest file with the above command to S3:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-32.png)

Then execute it from Redshift and load the information into the "listing" table:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-33.png)

To view the output of the command, the attacker can query the table they created:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-34.png)

‍Now the attacker needs to modify the manifest command to contain the role name returned in the previous step and re-execute one more time to get the credentials. Also, since the credentials can be long, it is necessary to encode the output in base64:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-35.png)

Attackers that execute the command will get the FULL credentials encoded in base64:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-36.png)

The attacker can decode the result back to a readable text and extract the credentials:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-318179-37.png)

## Summary

We saw some powerful attack vectors that an attacker can perform by leveraging 'redshift:CreateCluster' permission to escalate privileges, move laterally, and eventually access different resources and exfiltrate sensitive data.

‍Along with the powerful features that Redshift provides, it's important to make sure that we use the principle of least privilege and keep in mind that attackers may use legit actions in their quest. For that reason, you'll want to continuously monitor the logs for suspicious activity.

‍

*** ** * ** ***

## Related Blogs

### [Data Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/data-detection-and-response/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown)

[#### How to Build an Enterprise Data Security Team](https://www.paloaltonetworks.com.au/blog/cloud-security/how-to-build-enterprise-data-security-team/)

### [Data Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/data-detection-and-response/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown)

[#### Redshift Security: Access and Data Flows Explained](https://www.paloaltonetworks.com.au/blog/cloud-security/redshift-inside-out-part-1/)

### [Data Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/data-detection-and-response/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown), [DLP](https://www.paloaltonetworks.com/blog/cloud-security/category/dlp/?ts=markdown)

[#### Data Security Platforms: 9 Key Capabilities and Evaluation Criteria](https://www.paloaltonetworks.com.au/blog/cloud-security/data-security-platform-capabilities-criteria/)

### [Data Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/data-detection-and-response/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown)

[#### Cloud Data Security \& Protection: Everything You Need to Know](https://www.paloaltonetworks.com.au/blog/cloud-security/cloud-data-security-protection-everything-you-need-to-know/)

### [Data Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/data-detection-and-response/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown)

[#### Prisma Cloud Data Security Vs. Other CSPM Vendors](https://www.paloaltonetworks.com.au/blog/cloud-security/dspm-vs-cspm/)

### [Data Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/data-detection-and-response/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown)

[#### Shadow Data Is Inevitable, But Security Risks Aren't](https://www.paloaltonetworks.com.au/blog/cloud-security/shadow-data-risk-mitigation/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language