- Monitor > Logs > Threat
- ACC > Threat Activity
- Objects > Security Profiles > Anti-Spyware/Vulnerability Protection
Use the Threat Details dialog to learn more about the threat signatures with which the firewall is equipped and the events that trigger those signatures. Threat details are provided for:
- Threat logs that record the threats that the firewall detects (MonitorLogsThreat)
- The top threats found in your network (ACCThreat Activity)
- Threat signatures that you want to modify or exclude from enforcement (ObjectsSecurity ProfilesAnti-Spyware/Vulnerability Protection)
When you find a threat signature you want to learn more about, hover over the Threat Name or the threat ID and click Exception to review the threat details. The threat details allow you to easily check whether a threat signature is configured as an exception to your security policy and to find the latest Threat Vault information about a specific threat. The Palo Alto Networks Threat Vault database is integrated with the firewall, allowing you to view expanded details about threat signatures in the firewall context or launch a Threat Vault search in a new browser window for a logged threat.
Depending on the type of threat you’re viewing, the details include all or some of the threat details described in the following table.
Threat signature name.
Unique threat signature ID. Select View in Threat Vault to open a Threat Vault search in a new browser window and look up the latest information that the Palo Alto Networks threat database has for this signature. The Threat Vault entry for the threat signature might include additional details, including the first and last content releases to include updates to the signature and the minimum PAN-OS version required to support the signature.
Information about the threat that triggers the signature.
The threat severity level: informational, low, medium, high, or critical.
Publicly known security vulnerabilities associated with the threat. The Common Vulnerabilities and Exposures (CVE) identifier is the most useful identifier for finding information about unique vulnerabilities as vendor-specific IDs commonly encompass multiple vulnerabilities.
The Bugtraq ID associated with the threat.
The vendor-specific identifier for a vulnerability. For example, MS16-148 is the vendor ID for one or more Microsoft vulnerabilities and APBSB16-39 is the vendor ID for one or more Adobe vulnerabilities.
Research sources you can use to learn more about the threat.
Security profiles that define a different enforcement action for the threat signature than the default signature action. The threat exception is only active when exempt profiles are attached to a security policy rule (check if the exception is Used in current security rule).
Used in current security rule
Active threat exceptions—A check mark in this column indicates that the firewall is actively enforcing the threat exception (the Exempt Profiles that define the threat exception are attached to a security policy rule).
If this column is clear, the firewall is enforcing the threat based only on the recommended default signature action.
Exempt IP Addresses
Exempt IP addresses—You can add an IP address on which to filter the threat exception or view existing Exempt IP Addresses. This option enforces a threat exception only when the associated session has either a source or destination IP address that matches the exempt IP address. For all other sessions, the threat is enforced based on the default signature action.
If you’re having trouble viewing threat details, check for the following conditions:
- The firewall Threat Prevention license is active (DeviceLicenses).
- The latest Antivirus and Threats and Applications content updates are installed.
- Threat Vault access is enabled (select DeviceSetupManagement and edit the Logging and Reporting setting to Enable Threat Vault Access).
- The default (or custom) Antivirus, Anti-Spyware, and Vulnerability Protection security profiles are applied to your security policy.
Learn More About Threat Signatures
Learn More About Threat Signatures Firewall Threat logs record all threats the firewall detects based on threat signatures ( Set Up Antivirus, Anti-Spyware, and Vulnerability ...
Learn More About Threat Signatures using Threat IDs
Learn More About Threat Signatures using Threat IDs The firewall Threat logs record all threats the firewall detects based on threat signatures and the ACC ...
Create Threat Exceptions
Create Threat Exceptions Palo Alto Networks defines a recommended default action (such as block or alert) for threat signatures. You can use a threat ID ...
Enhanced Coverage for Command and Control (C2) Traffic
Enhanced Coverage for Command and Control (C2) Traffic Command-and-control (C2) describes when a compromised system is surreptitiously communicating with an attacker’s remote server to receive ...
Objects > Security Profiles > Anti-Spyware Profile
Objects > Security Profiles > Anti-Spyware Profile You can attach an Anti-Spyware profile to a Security policy rule for detecting connections initiated by spyware and ...
Objects > Security Profiles > Vulnerability Protection
Objects > Security Profiles > Vulnerability Protection A Security policy rule can include specification of a Vulnerability Protection profile that determines the level of protection ...
Objects > Custom Objects > Spyware/Vulnerability
Objects > Custom Objects > Spyware/Vulnerability The firewall supports the ability to create custom spyware and vulnerability signatures using the firewall threat engine. You can ...
Globally Unique Threat IDs
Globally Unique Threat IDs All Palo Alto Networks threat signatures now have permanent, globally unique IDs that you can use to look up threat signature ...
Threat Prevention Resources
Threat Prevention Resources For more information on Threat Prevention, refer to the following sources: Creating Custom Threat Signatures Threat Prevention Deployment Understanding DoS Protection To ...