Create Threat Exceptions

Palo Alto Networks defines a recommended default action (such as block or alert) for threat signatures. You can use a threat ID to exclude a threat signature from enforcement or modify the action the firewall enforces for that threat signature. For example, you can modify the action for threat signatures that are triggering false positives on your network.
Configure threat exceptions for antivirus, vulnerability, spyware, and DNS signatures to change firewall enforcement for a threat. However, before you begin, make sure the firewall is detecting and enforcing threats based on the default signature settings:
  1. Exclude antivirus signatures from enforcement.
    While you can use an Antivirus profile to exclude antivirus signatures from enforcement, you cannot change the action the firewall enforces for a specific antivirus signature. However, you can define the action for the firewall to enforce for viruses found in different types of traffic by editing the Decoders (
    Objects
    Security Profiles
    Antivirus
    > <antivirus-profile> > Antivirus
    ).
    1. Select
      Objects
      Security Profiles
      Antivirus
      .
    2. Add
      or modify an existing Antivirus profile from which you want to exclude a threat signature and select
      Virus Exception
      .
    3. Add
      the
      Threat ID
      for the threat signature you want to exclude from enforcement.
      threat-exception-antivirus.png
    4. Click
      OK
      to save the Antivirus profile.
  2. Modify enforcement for vulnerability and spyware signatures (except DNS signatures; skip to the next option to modify enforcement for DNS signatures, which are a type of spyware signature).
    1. Select
      Objects
      Security Profiles
      Anti-Spyware
      or
      Objects
      Security Profiles
      Vulnerability Protection
      .
    2. Add
      or modify an existing Anti-Spyware or Vulnerability Protection profile from which you want to exclude the threat signature and then select
      Exceptions
      .
    3. Show all signatures
      and then filter to select the signature for which you want to modify enforcement rules.
    4. Check the box under the
      Enable
      column for the signature whose enforcement you want to modify.
    5. Select the
      Action
      you want the firewall to enforce for this threat signature.
      threat-exception-antispyware.png
      For signatures that you want to exclude from enforcement because they trigger false positives, set the
      Action
      to
      Allow
      .
    6. Click
      OK
      to save your new or modified Anti-Spyware or Vulnerability Protection profile.
  3. Modify enforcement for DNS signatures.
    By default, the DNS lookups to malicious hostnames that DNS signatures are detect are sinkholed.
    1. Select
      Objects
      Security Profiles
      Anti-Spyware
      .
    2. Add
      or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select
      DNS Signatures
      .
    3. Add
      the
      DNS Threat ID
      for the DNS signature that you want to exclude from enforcement:
      threat-exception-dns.png
    4. Click
      OK
      to save your new or modified Anti-Spyware profile.

Related Documentation