Create Threat Exceptions
Palo Alto Networks defines a recommended default
action (such as block or alert) for threat signatures. You can use
a threat ID to exclude a threat signature from enforcement or modify
the action the firewall enforces for that threat signature. For
example, you can modify the action for threat signatures that are
triggering false positives on your network.
Configure threat
exceptions for antivirus, vulnerability, spyware, and DNS signatures
to change firewall enforcement for a threat. However, before you
begin, make sure the firewall is detecting and enforcing threats
based on the default signature settings:
- Get the latest Antivirus, Threats and Applications, and WildFire signature updates.
- Set Up Antivirus, Anti-Spyware, and Vulnerability Protection and apply these security profiles to your security policy.
- Exclude antivirus signatures from enforcement.While you can use an Antivirus profile to exclude antivirus signatures from enforcement, you cannot change the action the firewall enforces for a specific antivirus signature. However, you can define the action for the firewall to enforce for viruses found in different types of traffic by editing the Decoders (ObjectsSecurity ProfilesAntivirus> <antivirus-profile> > Antivirus).
- Select.ObjectsSecurity ProfilesAntivirus
- Addor modify an existing Antivirus profile from which you want to exclude a threat signature and selectVirus Exception.
- AddtheThreat IDfor the threat signature you want to exclude from enforcement.
- ClickOKto save the Antivirus profile.
- Modify enforcement for vulnerability and spyware signatures (except DNS signatures; skip to the next option to modify enforcement for DNS signatures, which are a type of spyware signature).
- SelectorObjectsSecurity ProfilesAnti-Spyware.ObjectsSecurity ProfilesVulnerability Protection
- Addor modify an existing Anti-Spyware or Vulnerability Protection profile from which you want to exclude the threat signature and then selectExceptions.
- Show all signaturesand then filter to select the signature for which you want to modify enforcement rules.
- Check the box under theEnablecolumn for the signature whose enforcement you want to modify.
- Select theActionyou want the firewall to enforce for this threat signature.For signatures that you want to exclude from enforcement because they trigger false positives, set theActiontoAllow.
- ClickOKto save your new or modified Anti-Spyware or Vulnerability Protection profile.
- Modify enforcement for DNS signatures.By default, the DNS lookups to malicious hostnames that DNS signatures are detect are sinkholed.
- Select.ObjectsSecurity ProfilesAnti-Spyware
- Addor modify the Anti-Spyware profile from which you want to exclude the threat signature, and selectDNS Signatures.
- AddtheDNS Threat IDfor the DNS signature that you want to exclude from enforcement:
- ClickOKto save your new or modified Anti-Spyware profile.
Recommended For You
Recommended Videos
Recommended videos not found.