Create Threat Exceptions

Table of Contents

Use DNS Queries to Identify Infected Hosts on the Network

Create Threat Exceptions

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) NGFW (Managed by Strata Cloud Manager) NGFW (Managed by PAN-OS or Panorama) VM-Series CN-Series	Advanced Threat Prevention (for enhanced feature support) or Threat Prevention License

Palo Alto Networks defines a recommended default action (such as block or alert) for threat signatures. You can use a threat ID to exclude a threat signature from enforcement or modify the action that is enforced for that threat signature. For example, you can modify the action for threat signatures that are triggering false positives on your network.

Configure threat exceptions for antivirus, vulnerability, spyware, and DNS signatures to change enforcement for a threat. However, before you begin, make sure the threats are being properly detected and enforced based on the default or best practice signature settings for an optimum security posture:

Get the latest Antivirus, Threats and Applications, and WildFire signature updates (for the firewall).
Set Up Antivirus, Anti-Spyware, and Vulnerability Protection and apply these security profiles to your security policy.

Create Threat Exceptions (Strata Cloud Manager)

Exclude antivirus signatures from enforcement.

While you can use an WildFire and Antivirus profile to exclude antivirus signatures from enforcement, you cannot change the action is enforced for a specific antivirus signature. However, you can define the enforceable action when viruses are found in different types of traffic by editing the security profile Enforcement Actions.
1. Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesWildFire and Antivirus.
2. Add Profile or select an existing WildFire and Antivirus profile from which you want to exclude a threat signature and go to the Advanced Settings tab.
3. From the Signature Exceptions menu, Add Exception and provide the Threat ID for the threat signature you want to exclude from enforcement. You can optionally add notes to the signature exception.
4. Save the signature exception when you are finished.
5. A valid threat signature ID auto-populates the threat name field. You can view a complete list of active signature exceptions as well as Delete entries that are no longer necessary.
6. Repeat to add additional exceptions or click Save after all of your threat exceptions have been added.
Modify enforcement for vulnerability and spyware signatures (except DNS signatures; while they are a type of spyware signature, DNS signatures are handled through the DNS Security subscription in Prisma Access).
1. Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesAnti-Spyware or ManageConfigurationNGFW and Prisma AccessSecurity ServicesVulnerability Protection, depending upon the signature type.
2. Add Profile or select an existing Anti-Spyware or Vulnerability Protection profile from which you want to modify the signature enforcement, and then select Add Override.
3. Search for spyware or vulnerability signatures by providing the relevant Match Criteria. This automatically filters the available signatures and displays the results in the Matching Signatures section.
4. Select the check box for the signature(s) whose enforcement you want to modify.
5. Provide the updated Action, Packet Capture, and IP Addresses that you want the modified enforcement rules to apply to for the selected signatures.
6. Save your updated signature enforcement configuration.
7. You can view a complete list of Overrides including various statistics, as well as Delete entries that are no longer necessary.

Create Threat Exceptions (NGFW (Managed by PAN-OS or Panorama))

Exclude antivirus signatures from enforcement.

While you can use an Antivirus profile to exclude antivirus signatures from enforcement, you cannot change the action the firewall enforces for a specific antivirus signature. However, you can define the action for the firewall to enforce for viruses found in different types of traffic by editing the Decoders (ObjectsSecurity ProfilesAntivirus > <antivirus-profile> > Antivirus).
1. Select ObjectsSecurity ProfilesAntivirus.
2. Add or modify an existing Antivirus profile from which you want to exclude a threat signature and select Signature Exceptions.
3. Add the Threat ID for the threat signature you want to exclude from enforcement.
4. Click OK to save the Antivirus profile.
Modify enforcement for vulnerability and spyware signatures (except DNS signatures; skip to the next option to modify enforcement for DNS signatures, which are a type of spyware signature).
1. Select ObjectsSecurity ProfilesAnti-Spyware or ObjectsSecurity ProfilesVulnerability Protection.
2. Add or modify an existing Anti-Spyware or Vulnerability Protection profile from which you want to exclude the threat signature and then select either Signature Exceptions for Anti-Spyware Protection profiles or Exceptions for Vulnerability Protection profiles.
3. Show all signatures and then filter to select the signature for which you want to modify enforcement rules.
4. Check the box under the Enable column for the signature whose enforcement you want to modify.
5. Select the Action you want the firewall to enforce for this threat signature.
  
  For signatures that you want to exclude from enforcement because they trigger false positives, set the Action to Allow.
6. Click OK to save your new or modified Anti-Spyware or Vulnerability Protection profile.
Modify enforcement for DNS signatures.
By default, the DNS lookups to malicious hostnames that DNS signatures are detect are sinkholed.
1. Select ObjectsSecurity ProfilesAnti-Spyware.
2. Add or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select DNS Exceptions.
3. Search for the DNS Threat ID for the DNS signature that you want to exclude from enforcement and select the box of the applicable signature:
4. Click OK to save your new or modified Anti-Spyware profile.