https://live.paloaltonetworks.com/t5/advanced-threat-prevention/pci-how-do-i-exempt-an-asv-scanner-from-the-ips-functions-next/m-p/303752#M710 <P>Hi BPry,</P><P>&nbsp;</P><P>when you say set to alert you mean the security profile set to alert instead of none?</P><P>I was under the impression that if you do change vulnerability &nbsp;security profile to none and log sessions at start or end this will still generate the traffic logs?</P> Sat, 14 Dec 2019 16:54:04 GMT MP18 2019-12-14T16:54:04Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/pci-how-do-i-exempt-an-asv-scanner-from-the-ips-functions-next/m-p/276691#M610 <P>We are trying to exempt our ASV scanner IPs from vuln protection, AV, etc... without whitelisting them from the firewall (host/port) rules we have in place.&nbsp; All I can find is exempting IPs based on a single Threat ID.</P><P>&nbsp;</P><P>Thanks.</P><P>&nbsp;</P><P>PCI Scanning Standard:</P><P>"13. Arrangements must be made to configure the intrusion detection<BR />system/intrusion prevention system (IDS/IPS) to accept the originating IP<BR />address of the ASV. If this is not possible, the scan should be originated<BR />in a location that prevents IDS/IPS interference "</P> Mon, 15 Jul 2019 21:49:04 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/pci-how-do-i-exempt-an-asv-scanner-from-the-ips-functions-next/m-p/276691#M610 Kris.Waddle 2019-07-15T21:49:04Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/pci-how-do-i-exempt-an-asv-scanner-from-the-ips-functions-next/m-p/276915#M611 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/117196">@Kris.Waddle</a>,</P><P>There isn't an easy way to do this. You will essentially need to duplicate the policies with the source IPs for your scanner and assign them a different profile-setting (I would assign them one where you alert on the traffic so you have logs to look back on, but it won't take any action to reset/drop the traffic).&nbsp;</P> Tue, 16 Jul 2019 21:23:54 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/pci-how-do-i-exempt-an-asv-scanner-from-the-ips-functions-next/m-p/276915#M611 BPry 2019-07-16T21:23:54Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/pci-how-do-i-exempt-an-asv-scanner-from-the-ips-functions-next/m-p/303752#M710 <P>Hi BPry,</P><P>&nbsp;</P><P>when you say set to alert you mean the security profile set to alert instead of none?</P><P>I was under the impression that if you do change vulnerability &nbsp;security profile to none and log sessions at start or end this will still generate the traffic logs?</P> Sat, 14 Dec 2019 16:54:04 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/pci-how-do-i-exempt-an-asv-scanner-from-the-ips-functions-next/m-p/303752#M710 MP18 2019-12-14T16:54:04Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/pci-how-do-i-exempt-an-asv-scanner-from-the-ips-functions-next/m-p/303797#M712 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>,</P><P>You would still get the traffic logs doing it your way, but you would miss out on the threats the firewall is actually able to properly identify and therefore protect against. For the particular issue that was discussed in this threat it allows you to see what the firewall would have actually done, while still allowing ASV to do it's job and identify the threats the systems are susceptible to.&nbsp;&nbsp;</P> Mon, 16 Dec 2019 00:57:52 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/pci-how-do-i-exempt-an-asv-scanner-from-the-ips-functions-next/m-p/303797#M712 BPry 2019-12-16T00:57:52Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/pci-how-do-i-exempt-an-asv-scanner-from-the-ips-functions-next/m-p/304004#M714 <P>Many Thanks for answering the Question.</P> Tue, 17 Dec 2019 05:15:02 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/pci-how-do-i-exempt-an-asv-scanner-from-the-ips-functions-next/m-p/304004#M714 MP18 2019-12-17T05:15:02Z