Enter a profile name (up to 31 characters). This name appears in the list of Vulnerability Protection profiles when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, periods, and underscores.

Enter a description for the profile (up to 255 characters).

Select this option if you want the profile to be available to:

Select this option to prevent administrators from overriding the settings of this Vulnerability Protection profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.

Specify a name to identify the rule.

Specify a text string to match. The firewall applies a collection of signatures to the rule by searching signature names for this text string.

Specify common vulnerabilities and exposures (CVEs) if you want to limit the signatures to those that also match the specified CVEs.

Each CVE is in the format CVE-yyyy-xxxx, where yyyy is the year and xxxx is the unique identifier. You can perform a string match on this field. For example, to find vulnerabilities for the year 2011, enter “2011”.

Specify whether to limit the signatures for the rule to those that are client side, server side, or either (any).

Select severities to match (informational, low, medium, high, or critical) if you want to limit the signatures to those that also match the specified severities.

Choose the action to take when the rule is triggered. For a list of actions, see Actions in Security Profiles.

The Default action is based on the pre-defined action that is part of each signature provided by Palo Alto Networks. To view the default action for a signature, select ObjectsSecurity ProfilesVulnerability Protection and Add or select an existing profile. Click the Exceptions tab and then click Show all signatures to see a list of all signatures and the associated Action.

Select this option if you want to capture identified packets.

Select single-packet to capture one packet when a threat is detected, or select the extended-capture option to capture from 1 to 50 packets (default is 5 packets). Extended-capture provides more context to the threat when analyzing the threat logs. To view the packet capture, select MonitorLogsThreat and locate the log entry you are interested in and then click the green down arrow in the second column. To define the number of packets that should be captured, select DeviceSetupContent-ID and then edit the Content-ID Settings.

If the action for a given threat is allow, the firewall does not trigger a Threat log and does not capture packets. If the action is alert, you can set the packet capture to single-packet or extended-capture. All blocking actions (drop, block, and reset actions) capture a single packet. The content package on the device determines the default action.

Select Enable for each threat for which you want to assign an action, or select All to respond to all listed threats. The list depends on the selected host, category, and severity. If the list is empty, there are no threats for the current selections.

Specify vendor IDs if you want to limit the signatures to those that also match the specified vendor IDs.

For example, the Microsoft vendor IDs are in the form MSyy-xxx, where yy is the two-digit year and xxx is the unique identifier. For example, to match Microsoft for the year 2009, enter “MS09” in the Search field.

The vulnerability signature database contains signatures that indicate a brute force attack; for example, Threat ID 40001 triggers on an FTP brute force attack. Brute-force signatures trigger when a condition occurs in a certain time threshold. The thresholds are pre-configured for brute force signatures, and can be changed by clicking edit ( ) next to the threat name on the Vulnerability tab (with the Custom option selected). You can specify the number of hits per unit of time and whether the threshold applies to source, destination, or source-and-destination.

Thresholds can be applied on a source IP, destination IP or a combination of source IP and destination IP.

The default action is shown in parentheses.

Click into the IP Address Exemptions column to Add IP address filters to a threat exception. When you add an IP address to a threat exception, the threat exception action for that signature will take precedence over the rule's action only if the signature is triggered by a session with either a source or destination IP address matching an IP address in the exception. You can add up to 100 IP addresses per signature. You must enter a unicast IP address (that is, an address without a netmask), such as 10.1.7.8 or 2001:db8:123:1::1. By adding IP address exemptions, you do not have to create a new policy rule and new vulnerability profile to create an exception for a specific IP address.

Select a vulnerability category if you want to limit the signatures to those that match that category.

Choose an action from the drop-down, or choose from the Action drop-down at the top of the list to apply the same action to all threats.

Select Packet Capture if you want to capture identified packets.