End-of-Life (EoL)

Learn More About Threat Signatures using Threat IDs

The firewall Threat logs record all threats the firewall detects based on threat signatures and the ACC displays an overview of the top threats on your network. Each event the firewall records includes an ID that identifies the associated threat signature.
Now that all threat IDs are unique, you can use the threat ID found with a Threat log or ACC entry to:
  • Easily check if a threat signature is configured as an exception to your security policy.
What is a threat exception?
Palo Alto Networks defines a default action (such as block or alert) for threat signatures; unless otherwise specified, the firewall enforces threat signatures based on the default action. However, you can create a threat exception to either exclude a threat signature from enforcement or to modify how the firewall enforces that specific signature. Learn more about and create threat exceptions.
  • Find the latest Threat Vault information about a specific threat. Because the Threat Vault is now integrated with the firewall, you can view threat details directly in the firewall context or launch a Threat Vault search in a new browser window for a threat the firewall logged.
  1. Confirm the firewall is connected to the Threat Vault.
    The firewall is now enabled to access the Threat Vault by default in order to gather the latest information about detected threats. To confirm that threat vault access is enabled after upgrading to PAN-OS 8.0, select
    Device
    Setup
    Management
    and edit the
    Logging and Reporting
    setting to
    Enable Threat Vault Access
    .
  2. Find the threat ID for threats the firewall detects:
    • To see each threat event the firewall detects based on threat signatures, select
      Monitor
      Logs
      Threat
      . You can find the ID for a threat entry listed in the ID column, or select the log entry to view log details, including the Threat ID.
    • To see an overview of top threats on the network, select
      ACC
      Threat Activity
      and take a look at the Threat Activity widget. The ID column displays the threat ID for each threat displayed.
    • To see details for threats that you can configure as threat exceptions (meaning, the firewall enforces the threat differently than the default action defined for the threat signature), select
      Objects
      Security Profiles
      Anti-Spyware/Vulnerability Protection
      .
      Add
      or modify a profile and click the
      Exceptions
      tab to view configured exceptions. If no exceptions are configured, you can filter for threat signatures or select
      Show all signatures
      .
  3. Hover over a
    Threat Name
    or the threat
    ID
    and click
    Exception
    to review both the threat details and how the firewall is configured to enforce the threat.
    For example, find out more about a top threat charted on the ACC:
  4. Review the latest
    Threat Details
    for the threat and launch a Threat Vault search based on the threat ID:
    • Threat details displayed include the latest Threat Vault information for the threat, resources you can use to learn more about the threat, and CVEs associated with the threat.
    • Select
      View in Threat Vault
      to open a Threat Vault search in a new window and look up the latest information the Palo Alto Networks threat database has for this threat signature.
  5. Check if a threat signature is configured as an exception to your security policy:
    • If the
      Used in current security rule
      column is clear, the firewall is enforcing the threat based on the recommended default signature action (for example, block or alert).
    • A checkmark anywhere in the
      Used in current security rule
      column indicates that a security policy rule is configured to enforce a non-default action for the threat (for example, allow), based on the associated
      Exempt Profiles
      settings.
    The
    Used in security rule column
    does not indicate if the security rule is enabled, only if the security policy rule is configured with the threat exception. Select
    Policies
    Security
    to check if an indicated security policy rule is enabled.
  6. Add
    an IP address on which to filter the threat exception or view existing
    Exempt IP Addresses
    . Configure an exempt IP address to enforce a threat exception only when the associated session has either a matching source or destination IP address; for all other sessions, the threat is enforced based on the default signature action.

Recommended For You