https://live.paloaltonetworks.com/t5/advanced-threat-prevention/vulnerability-protection-profile/m-p/556846#M1990 <P>Hello!</P> <P>&nbsp;</P> <P>I have a rule with a vulnerability protection profile enabled between my VPN users and DMZ.</P> <P>I need to WebGUI (8443/8080) into a new DMZ server, but VP is stopping it.</P> <P>How do I make an exception for this traffic?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>DC</P> Wed, 06 Sep 2023 20:39:35 GMT DCleve 2023-09-06T20:39:35Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/vulnerability-protection-profile/m-p/556846#M1990 <P>Hello!</P> <P>&nbsp;</P> <P>I have a rule with a vulnerability protection profile enabled between my VPN users and DMZ.</P> <P>I need to WebGUI (8443/8080) into a new DMZ server, but VP is stopping it.</P> <P>How do I make an exception for this traffic?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>DC</P> Wed, 06 Sep 2023 20:39:35 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/vulnerability-protection-profile/m-p/556846#M1990 DCleve 2023-09-06T20:39:35Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/vulnerability-protection-profile/m-p/556880#M1991 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/314099">@DCleve</a></P> <P>&nbsp;</P> <P>thanks for posting.</P> <P>&nbsp;</P> <P>I would recommend to review traffic and security logs from: Monitor &gt; Logs &gt; Traffic / Threat to confirm exact reason for traffic to be denied / dropped. If you confirmed that vulnerability signature is causing an issue, here are 2 KBs for applying an exception either on signature or IP address level:</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC" target="_self">How to create a vulnerability exception</A></P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhcCAC" target="_self">Vulnerability Exception Based Upon Source and Destination IP Address to change the default behavior</A>&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>If you believe this is a false positive, you can reported:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSBCA0" target="_self">How to Submit a Vulnerability Signature False Positive</A>&nbsp;</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Thu, 07 Sep 2023 03:01:37 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/vulnerability-protection-profile/m-p/556880#M1991 PavelK 2023-09-07T03:01:37Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/vulnerability-protection-profile/m-p/557036#M1993 <P>Thanks for the reply, PK.</P> <P>&nbsp;</P> <P>This is strange. The Traffic logs report that the traffic is allowed, but I'm getting nothing but RST, ACK (with no connection), allegedly from the server.</P> <P>The server, though, shows that it's listening on ports 8080 and 8443. I'm second-guessing my theory that the problem is Vulnerability protection. As I research, APP-ID could also be the problem, but again, all traffic is "allowed" in the traffic logs and isn't present in the Threat logs.</P> <P>&nbsp;</P> <P>Any help here would be appreciated.</P> <P>&nbsp;</P> <P>I assumed the problem was vulnerability protection because a profile is attached to the policy, but I see nothing in the traffic or threat logs indicating this.</P> Thu, 07 Sep 2023 18:11:12 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/vulnerability-protection-profile/m-p/557036#M1993 DCleve 2023-09-07T18:11:12Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/vulnerability-protection-profile/m-p/557057#M1994 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/314099">@DCleve</a></P> <P>&nbsp;</P> <P>thank you for reply.</P> <P>&nbsp;</P> <P>To eliminate assumptions, could you check Unified logs with server's IP address in filter from: Monitor &gt; Logs &gt; Unified? Unified logs have all log types in one screen.</P> <P>&nbsp;</P> <P>If it is possible could you take a packet capture from server? Also if it is possible could you temporarily take vulnerability profile out of the policy and test connection?</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Thu, 07 Sep 2023 21:51:23 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/vulnerability-protection-profile/m-p/557057#M1994 PavelK 2023-09-07T21:51:23Z