Create Threat Exceptions
Focus
Focus
Advanced Threat Prevention

Create Threat Exceptions

Table of Contents

Create Threat Exceptions

Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS or Panorama Managed)
  • VM-Series
  • CN-Series
  • Advanced Threat Prevention or Threat Prevention License
Palo Alto Networks defines a recommended default action (such as block or alert) for threat signatures. You can use a threat ID to exclude a threat signature from enforcement or modify the action that is enforced for that threat signature. For example, you can modify the action for threat signatures that are triggering false positives on your network.
Configure threat exceptions for antivirus, vulnerability, spyware, and DNS signatures to change enforcement for a threat. However, before you begin, make sure the threats are being properly detected and enforced based on the default or best practice signature settings for an optimum security posture:

Cloud Management

  1. Exclude antivirus signatures from enforcement.
    While you can use an WildFire and Antivirus profile to exclude antivirus signatures from enforcement, you cannot change the action is enforced for a specific antivirus signature. However, you can define the enforceable action when viruses are found in different types of traffic by editing the security profile
    Enforcement Actions
    .
    1. Select
      Manage
      Configuration
      NGFW and
      Prisma Access
      Security Services
      WildFire and Antivirus
      .
    2. Add Profile
      or select an existing WildFire and Antivirus profile from which you want to exclude a threat signature and go to the
      Advanced Settings
      tab.
    3. From the
      Signature Exceptions
      menu,
      Add Exception
      and provide the
      Threat ID
      for the threat signature you want to exclude from enforcement. You can optionally add notes to the signature exception.
    4. Save
      the signature exception when you are finished.
    5. A valid threat signature ID auto-populates the threat name field. You can view a complete list of active signature exceptions as well as
      Delete
      entries that are no longer necessary.
    6. Repeat to add additional exceptions or click
      Save
      after all of your threat exceptions have been added.
  2. Modify enforcement for vulnerability and spyware signatures (except DNS signatures; while they are a type of spyware signature, DNS signatures are handled through the DNS Security subscription in
    Prisma Access
    ).
    1. Select
      Manage
      Configuration
      NGFW and
      Prisma Access
      Security Services
      Anti-Spyware
      or
      Manage
      Configuration
      NGFW and
      Prisma Access
      Security Services
      Vulnerability Protection
      , depending upon the signature type.
    2. Add Profile
      or select an existing Anti-Spyware or Vulnerability Protection profile from which you want to modify the signature enforcement, and then select
      Add Override
      .
    3. Search for spyware or vulnerability signatures by providing the relevant
      Match Criteria
      . This automatically filters the available signatures and displays the results in the
      Matching Signatures
      section.
    4. Select the check box for the signature(s) whose enforcement you want to modify.
    5. Provide the updated
      Action
      ,
      Packet Capture
      , and
      IP Addresses
      that you want the modified enforcement rules to apply to for the selected signatures.
    6. Save
      your updated signature enforcement configuration.
    7. You can view a complete list of
      Overrides
      including various statistics, as well as
      Delete
      entries that are no longer necessary.

PAN-OS & Panorama

  1. Exclude antivirus signatures from enforcement.
    While you can use an Antivirus profile to exclude antivirus signatures from enforcement, you cannot change the action the firewall enforces for a specific antivirus signature. However, you can define the action for the firewall to enforce for viruses found in different types of traffic by editing the Decoders (
    Objects
    Security Profiles
    Antivirus
    > <antivirus-profile> > Antivirus
    ).
    1. Select
      Objects
      Security Profiles
      Antivirus
      .
    2. Add
      or modify an existing Antivirus profile from which you want to exclude a threat signature and select
      Signature Exceptions
      .
    3. Add
      the
      Threat ID
      for the threat signature you want to exclude from enforcement.
    4. Click
      OK
      to save the Antivirus profile.
  2. Modify enforcement for vulnerability and spyware signatures (except DNS signatures; skip to the next option to modify enforcement for DNS signatures, which are a type of spyware signature).
    1. Select
      Objects
      Security Profiles
      Anti-Spyware
      or
      Objects
      Security Profiles
      Vulnerability Protection
      .
    2. Add
      or modify an existing Anti-Spyware or Vulnerability Protection profile from which you want to exclude the threat signature and then select either
      Signature Exceptions
      for Anti-Spyware Protection profiles or
      Exceptions
      for Vulnerability Protection profiles.
    3. Show all signatures
      and then filter to select the signature for which you want to modify enforcement rules.
    4. Check the box under the
      Enable
      column for the signature whose enforcement you want to modify.
    5. Select the
      Action
      you want the firewall to enforce for this threat signature.
      For signatures that you want to exclude from enforcement because they trigger false positives, set the
      Action
      to
      Allow
      .
    6. Click
      OK
      to save your new or modified Anti-Spyware or Vulnerability Protection profile.
  3. Modify enforcement for DNS signatures.
    By default, the DNS lookups to malicious hostnames that DNS signatures are detect are sinkholed.
    1. Select
      Objects
      Security Profiles
      Anti-Spyware
      .
    2. Add
      or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select
      DNS Exceptions
      .
    3. Search for the DNS Threat ID for the DNS signature that you want to exclude from enforcement and select the box of the applicable signature:
    4. Click
      OK
      to save your new or modified Anti-Spyware profile.

Recommended For You