Palo Alto Networks defines a recommended default
action (such as block or alert) for threat signatures. You can use
a threat ID to exclude a threat signature from enforcement or modify
the action the firewall enforces for that threat signature. For
example, you can modify the action for threat signatures that are
triggering false positives on your network.
exceptions for antivirus, vulnerability, spyware, and DNS signatures
to change firewall enforcement for a threat. However, before you
begin, make sure the firewall is detecting and enforcing threats
based on the default signature settings:
Get the latest Antivirus,
Threats and Applications, and WildFire signature updates.
While you can use an Antivirus profile to exclude
antivirus signatures from enforcement, you cannot change the action
the firewall enforces for a specific antivirus signature. However,
you can define the action for the firewall to enforce for viruses
found in different types of traffic by editing the Decoders (
or modify an existing Antivirus profile
from which you want to exclude a threat signature and select
the threat signature you want to exclude from enforcement.
to save the Antivirus profile.
Modify enforcement for vulnerability and spyware signatures (except
DNS signatures; skip to the next option to modify enforcement for
DNS signatures, which are a type of spyware signature).
or modify an existing Anti-Spyware or
Vulnerability Protection profile from which you want to exclude
the threat signature and then select either
for Anti-Spyware Protection profiles or
Vulnerability Protection profiles.
Show all signatures
filter to select the signature for which you want to modify enforcement rules.
Check the box under the
for the signature whose enforcement you want to modify.
the firewall to enforce for this threat signature.
signatures that you want to exclude from enforcement because they trigger
false positives, set the
to save your new or
modified Anti-Spyware or Vulnerability Protection profile.
Modify enforcement for DNS signatures.
By default, the DNS lookups to malicious hostnames that
DNS signatures are detect are sinkholed.
or modify the Anti-Spyware
profile from which you want to exclude the threat signature, and
Search for the DNS Threat ID for the DNS signature
that you want to exclude from enforcement and select the box of
the applicable signature:
to save your new or
modified Anti-Spyware profile.