- Monitor > Logs > Threat
- ACC > Threat Activity
- Objects > Security Profiles > Anti-Spyware/Vulnerability Protection
Use the Threat Details dialog to learn more about the threat signatures with which the firewall is equipped and the events that trigger those signatures. Threat details are provided for:
- Threat logs that record the threats that the firewall detects (MonitorLogsThreat)
- The top threats found in your network (ACCThreat Activity)
- Threat signatures that you want to modify or exclude from enforcement (ObjectsSecurity ProfilesAnti-Spyware/Vulnerability Protection)
When you find a threat signature you want to learn more about, hover over the Threat Name or the threat ID and click Exception to review the threat details. The threat details allow you to easily check whether a threat signature is configured as an exception to your security policy and to find the latest Threat Vault information about a specific threat. The Palo Alto Networks Threat Vault database is integrated with the firewall, allowing you to view expanded details about threat signatures in the firewall context or launch a Threat Vault search in a new browser window for a logged threat.
Depending on the type of threat you’re viewing, the details include all or some of the threat details described in the following table.
Threat signature name.
Unique threat signature ID. Select View in Threat Vault to open a Threat Vault search in a new browser window and look up the latest information that the Palo Alto Networks threat database has for this signature. The Threat Vault entry for the threat signature might include additional details, including the first and last content releases to include updates to the signature and the minimum PAN-OS version required to support the signature.
Information about the threat that triggers the signature.
The threat severity level: informational, low, medium, high, or critical.
Publicly known security vulnerabilities associated with the threat. The Common Vulnerabilities and Exposures (CVE) identifier is the most useful identifier for finding information about unique vulnerabilities as vendor-specific IDs commonly encompass multiple vulnerabilities.
The Bugtraq ID associated with the threat.
The vendor-specific identifier for a vulnerability. For example, MS16-148 is the vendor ID for one or more Microsoft vulnerabilities and APBSB16-39 is the vendor ID for one or more Adobe vulnerabilities.
Research sources you can use to learn more about the threat.
Security profiles that define a different enforcement action for the threat signature than the default signature action. The threat exception is only active when exempt profiles are attached to a security policy rule (check if the exception is Used in current security rule).
Used in current security rule
Active threat exceptions—A check mark in this column indicates that the firewall is actively enforcing the threat exception (the Exempt Profiles that define the threat exception are attached to a security policy rule).
If this column is clear, the firewall is enforcing the threat based only on the recommended default signature action.
Exempt IP Addresses
Exempt IP addresses—You can add an IP address on which to filter the threat exception or view existing Exempt IP Addresses. This option enforces a threat exception only when the associated session has either a source or destination IP address that matches the exempt IP address. For all other sessions, the threat is enforced based on the default signature action.
If you’re having trouble viewing threat details, check for the following conditions:
- The firewall Threat Prevention license is active (DeviceLicenses).
- The latest Antivirus and Threats and Applications content updates are installed.
- Threat Vault access is enabled (select DeviceSetupManagement and edit the Logging and Reporting setting to Enable Threat Vault Access).
- The default (or custom) Antivirus, Anti-Spyware, and Vulnerability Protection security profiles are applied to your security policy.
Learn More About Threat Signatures
Learn More About Threat Signatures Firewall Threat logs record all threats the firewall detects based on threat signatures ( Set Up Antivirus, Anti-Spyware, and Vulnerability ...
Create Threat Exceptions
Create Threat Exceptions Palo Alto Networks defines a recommended default action (such as block or alert) for threat signatures. You can use a threat ID ...
Objects > Security Profiles > Vulnerability Protection
Objects > Security Profiles > Vulnerability Protection A Security policy rule can include specification of a Vulnerability Protection profile that determines the level of protection ...
Objects > Security Profiles > Anti-Spyware Profile
Objects > Security Profiles > Anti-Spyware Profile You can attach an Anti-Spyware profile to a Security policy rule to detect connections initiated by spyware and ...
Objects > Custom Objects > Spyware/Vulnerability
Objects > Custom Objects > Spyware/Vulnerability The firewall supports the ability to create custom spyware and vulnerability signatures using the firewall threat engine. You can ...
Threat Prevention Resources
Threat Prevention Resources For more information on Threat Prevention, refer to the following sources: Creating Custom Threat Signatures Threat Prevention Deployment Understanding DoS Protection To ...
Threat Signature Categories
Threat Signatures There are three types of Palo Alto Networks threat signatures, each designed to detect different types of threats as the firewall scans network ...
Take a Threat Packet Capture
Take a Threat Packet Capture To configure the firewall to take a packet capture (pcap) when it detects a threat, enable packet capture on Antivirus, ...
Customize the Action and Trigger Conditions for a Brute For...
Customize the Action and Trigger Conditions for a Brute Force Signature The firewall includes two types of predefined brute force signatures—parent signatures and child signatures. ...