Add a Global Endpoint Policy Exception
As
an alternative to adding an endpoint-specific
exception in policy rules, you can define and manage global exceptions
that apply across all of your endpoints. On the Global Exception
page, you can manage all the global exceptions in your organization
for all platforms. Together with Exceptions Security Profiles, global
exceptions constitute the sum of all the exceptions allowed within
your security policy rules.
Add a Global Process Exception
- Go to .
- SelectProcess exceptions.
- Select the operating system.
- Enter the name of the process.
- Select one or more Endpoint Protection Modules that will allow this process to run. The modules displayed on the list are the modules relevant to the operating system defined for this profile. To apply the process exception on all security modules,Select all. To apply the process exception on all exploit security modules, selectDisable Injection. Click the adjacent arrow to add the exception.
- After you add all exceptions,Saveyour changes.The new process exception is added to theGlobal Exceptionsin your network and will be applied across all rules and policies. To edit the exception, select it and click the edit icon. To delete it, select it and click the delete icon.
Add a Global Support Exception
- Go to .
- SelectSupport exceptions.Import thejsonfile you received from Palo Alto Networks support team by either browsing for it in your files or by dragging and dropping the file on the page.
- ClickSave.The new support exception is added to theGlobal Exceptionsin your network and will be applied across all rules and policies.
Add a Global Behavioral Threat Protection Rule Exception
When you view a Behavioral Threat alert in
the
Alerts
table for which you want to allow
across your organization, you can create a Global Exception for
that rule.- Right-click the alert and selectCreate alert exception.
- Review the alert data (platform and rule name) and selectException Scope: Global.
- ClickAdd.The relevant BTP exception is added to theGlobal Exceptionsin your network and will be applied across all rules and policies. At any point, you can click theGenerating Alert IDto return to the original alert from which the exception was originated. To delete a specific global exception, select it and clickX. You cannot edit global exceptions generated from a BTP security event.
Review Advanced Analysis Exceptions
With Advanced Analysis, Cortex XDR can provide a secondary
validation of XDR Agent alerts raised by exploit protection modules.
To perform the additional analysis, Cortex XDR analyzes alert data
sent by the Cortex XDR agent. If Advanced Analysis indicates an
alert is actually benign, Cortex XDR can automatically create exceptions
and distribute the updated security policy to your endpoints.
By enabling Cortex XDR to automatically create and distribute
global exceptions you can minimize disruption for users when they
subsequently encounter the same benign activity. To enable the automatic
creation of Advanced Analysis Exceptions, configure the Advanced
Analysis options in your Configure Global Agent Settings.
For each exception, Cortex XDR displays the affected platform,
exception name, and the relevant alert ID for which Cortex XDR determined
activity was benign. To drill down into the alert details, click
the
Generating Alert ID
.
Add a Global Digital Signer Exception
When you view in the
Alerts
table
a Digital Signer Restriction alerts for a digital signer you trust and
want to allow from now on across your network, create a Global Exception
for that digital signer directly from the alert.- Right-click the alert and selectCreate alert exception.Review the alert data (Platform, signer, and alert ID) and selectException Scope: Global.
- ClickAdd.The relevant digital signer exception is added to theGlobal Exceptionsin your network and will be applied across all rules and policies. At any point, you can click theGenerating Alert IDto return to the original alert from which the exception was originated. To delete a specific global exception, select it and clickX. You cannot edit global exceptions generated from a digital signer restriction security event.
Add a Global Java Deserialization Exception
When you view in the
Alerts
table
a Suspicious Input Desensitization alert for a Java executable you
want to allow from now on across your network, create a Global Exception
for that executable directly from the alert of the security event
that prevented it.- Right-click the alert and selectCreate alert exception.Review the alert data (Platform, Process, Java executable, and alert ID) and selectException Scope: Global.
- ClickAdd.The relevant digital signer exception is added to theGlobal Exceptionsin your network and will be applied across all rules and policies. At any point, you can click theGenerating Alert IDto return to the original alert from which the exception was originated. To delete a specific global exception, select it and clickX. You cannot edit global exceptions generated from a digital signer restriction security event.
Add a Global Local File Threat Examination Exception
When you view in the
Alerts
table
a Local Threat Detected alert for a PHP file you want to allow from
now on across your network, create a Global Exception for that file
directly from the alert of the security event that prevented it.- Right-click the alert and selectCreate alert exception.Review the alert data (Process, Path, and Hash) and selectException Scope: Global.
- ClickAdd.The relevant PHP file is added to theGlobal Exceptionsin your network and will be applied across all rules and policies. At any point, you can click theGenerating Alert IDto return to the original alert from which the exception was originated. To delete a specific global exception, select it and clickX. You cannot edit global exceptions generated from a local file threat examination exception restriction security event.
