topic Cannot change action for special Threat ID in Next-Generation Firewall Discussions

Cannot change action for special Threat ID

tugips — Wed, 24 Jan 2024 10:52:55 GMT

On our 5410 with PANOS 10.2.7-h3 installed I can see a lot of threats with ID 89953 (Inline Cloud Analyzed Unknown-TCP Command and Control Traffic Detection), severity = high, default action = alert.

I want to change the default action via Anti-Spyware-Profile > Inline Cloud Analysis, but it's not possible for this special threat.

Any idea how to change this?

Thx in advance

Thomas

Re: Cannot change action for special Threat ID

Claw4609 — Wed, 24 Jan 2024 20:35:52 GMT

You arent able to change the predefined security profiles if youre trying to change it from there. You would have to clone the profile and edit it there.

The threat ID is for this entirely, if you wanted to disable this you could set the action to alert. However, down below if where you can set specific exceptions for the threat.

Re: Cannot change action for special Threat ID

tugips — Thu, 25 Jan 2024 07:29:44 GMT

Sure, I've always been using a custom profile and all actions within "Inline Cloud Analysis" are set to "reset-both".

What I've found out in the meantime:

In some rare cases threat IDs within the range 89950-89953 are blocked.

No idea why...

And I still want to block all those threats.

Re: Cannot change action for special Threat ID

Claw4609 — Thu, 25 Jan 2024 14:22:45 GMT

Just to clarify, are you wanting to block or allow threat IDs 89950-89953? While I dont have much of this traffic being flagged in my environment, its possible that this operates similar to Wildfire, and it initially alerts/allows the traffic before the cloud comes back and says no for future connections.