https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threat-prevention-rules-exceptions-default-actions-precedence/m-p/554781#M1989 <P>Yes, that should be how it works. Please report it here if you actually get a different result.</P> Wed, 23 Aug 2023 04:49:24 GMT ymiyashita 2023-08-23T04:49:24Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threat-prevention-rules-exceptions-default-actions-precedence/m-p/554735#M1988 <P>I want to confirm the order of precedence for security profile rules, default actions, and exceptions.&nbsp; For example, the default action for the&nbsp;SSH User Authentication Brute Force Attempt threat is alert.&nbsp; However, the threat profile rule associated (simple-server-high) has an action of reset-both.&nbsp; I think the rule action will override the default action of the signature meaning that the action of reset-both will be taken.&nbsp; Is that correct?</P> <P>&nbsp;</P> <P>As a follow up, in that scenario I also have exceptions for a few IPs with that use the default action of alert.&nbsp; I think the exception will take precedence and the action will be to alert.&nbsp; Is that correct?</P> <P>&nbsp;</P> <P>To summarize, I think rules override the default action but exceptions override both the rules and original default action when an exception is enabled.&nbsp; Is that correct?&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 22 Aug 2023 17:54:51 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threat-prevention-rules-exceptions-default-actions-precedence/m-p/554735#M1988 bruce.johnson 2023-08-22T17:54:51Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threat-prevention-rules-exceptions-default-actions-precedence/m-p/554781#M1989 <P>Yes, that should be how it works. Please report it here if you actually get a different result.</P> Wed, 23 Aug 2023 04:49:24 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threat-prevention-rules-exceptions-default-actions-precedence/m-p/554781#M1989 ymiyashita 2023-08-23T04:49:24Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threat-prevention-rules-exceptions-default-actions-precedence/m-p/595569#M2262 <P><SPAN>&nbsp;</SPAN></P> <DIV class="lia-message-author-with-avatar"><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead lia-component-message-view-widget-author-username"><A id="link_7" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9239" target="_self" aria-label="View Profile of bruce.johnson"></A><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9239">@bruce.johnson</a>,</SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</DIV> <DIV class="lia-message-author-with-avatar">&nbsp;</DIV> <DIV class="lia-message-author-with-avatar"><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead lia-component-message-view-widget-author-username"><A id="link_7" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9239" target="_self" aria-label="View Profile of bruce.johnson"><SPAN class=""> yes you are absolutely right. i have tested and found it okay<span class="lia-unicode-emoji" title=":grinning_face:">😀</span></SPAN></A></SPAN></DIV> Thu, 22 Aug 2024 04:44:34 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threat-prevention-rules-exceptions-default-actions-precedence/m-p/595569#M2262 Rokibul 2024-08-22T04:44:34Z