Create Threat Exceptions
Palo Alto Networks defines a recommended default action (such as block or alert) for threat signatures. You can use a threat ID to exclude a threat signature from enforcement or modify the action the firewall enforces for that threat signature. For example, you can modify the action for threat signatures that are triggering false positives on your network.
Configure threat exceptions for antivirus, vulnerability, spyware, and DNS signatures to change firewall enforcement for a threat. However, before you begin, make sure the firewall is detecting and enforcing threats based on the default signature settings:
- Get the latest Antivirus, Threats and Applications, and WildFire signature updates.
- Set Up Antivirus, Anti-Spyware, and Vulnerability Protection and apply these security profiles to your security policy.
- Exclude antivirus signatures from enforcement.While you can use an Antivirus profile to exclude antivirus signatures from enforcement, you cannot change the action the firewall enforces for a specific antivirus signature. However, you can define the action for the firewall to enforce for viruses found in different types of traffic by editing the Decoders (ObjectsSecurity ProfilesAntivirus> <antivirus-profile> > Antivirus).
- Select ObjectsSecurity ProfilesAntivirus.
- Add or modify an existing Antivirus profile from which you want to exclude a threat signature and select Virus Exception.
- Add the Threat ID for the threat signature you want to exclude from enforcement.
- Click OK to save the Antivirus profile.
- Modify enforcement for vulnerability and spyware signatures
(except DNS signatures; skip to the next option to modify enforcement
for DNS signatures, which are a type of spyware signature).
- Select ObjectsSecurity ProfilesAnti-Spyware or ObjectsSecurity ProfilesVulnerability Protection.
- Add or modify an existing Anti-Spyware or Vulnerability Protection profile from which you want to exclude the threat signature and then select Exceptions.
- Show all signatures and then filter to select the signature for which you want to modify enforcement rules.
- Enable the signature for which you want to modify enforcement.
- Select the Action you want
the firewall to enforce for this threat signature.For signatures that you want to exclude from enforcement because they trigger false positives, set the Action to Allow.
- Click OK to save your new or modified Anti-Spyware or Vulnerability Protection profile.
- Modify enforcement for DNS signatures.By default, the DNS lookups to malicious hostnames that DNS signatures are detect are sinkholed.
- Select ObjectsSecurity ProfilesAnti-Spyware.
- Add or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select DNS Signatures.
- Add the DNS Threat ID for the DNS signature that you want to exclude from enforcement:
- Click OK to save your new or modified Anti-Spyware profile.
Threat Details Monitor > Logs > Threat ACC > Threat Activity Objects > Security Profiles > Anti-Spyware/Vulnerability Protection Use the Threat Details dialog to learn ...
Objects > Security Profiles > Anti-Spyware Profile
Objects > Security Profiles > Anti-Spyware Profile You can attach an Anti-Spyware profile to a Security policy rule for detecting connections initiated by spyware and ...
Take a Threat Packet Capture
Take a Threat Packet Capture To configure the firewall to take a packet capture (pcap) when it detects a threat, enable packet capture on Antivirus, ...
Enable Evasion Signatures
Enable Evasion Signatures Palo Alto Networks evasion signatures detect crafted HTTP or TLS requests, and can alert to instances where a client connects to a ...
Set Up Antivirus, Anti-Spyware, and Vulnerability Protectio...
Set Up Antivirus, Anti-Spyware, and Vulnerability Protection Every Palo Alto Networks next-generation firewall comes with predefined Antivirus , Anti-Spyware , and Vulnerability Protection profiles that ...
Enhanced Coverage for Command and Control (C2) Traffic
Enhanced Coverage for Command and Control (C2) Traffic Command-and-control (C2) describes when a compromised system is surreptitiously communicating with an attacker’s remote server to receive ...
Enable Threat Packet Capture
Enable Threat Packet Capture Objects > Security Profiles To enable the firewall to capture packets when it detects a threat, enable the packet capture option ...
Globally Unique Threat IDs
Globally Unique Threat IDs All Palo Alto Networks threat signatures now have permanent, globally unique IDs that you can use to look up threat signature ...
Actions in Security Profiles
Actions in Security Profiles The action specifies how the firewall responds to a threat event. Every threat or virus signature that is defined by Palo ...