https://live.paloaltonetworks.com/t5/general-topics/still-no-way-to-set-specific-threat-exceptions/m-p/20205#M14700 <HTML><HEAD></HEAD><BODY><P>Hi...The traffic log is recording traffic events while the threat log is recording threat events.&nbsp; If there is traffic (regardless if the threat is present or not) then it is recorded in the traffic log.&nbsp; You are viewing the traffic log hence you're seeing the traffic activity.&nbsp; The threat log should not register the event with threat ID 12345 because it is being ingored.</P><P></P><P>How about changing the rule name from "Ignore ID 12345" to ""Scan all, Ignore ID 12345"?</P><P></P><P>Thanks.</P></BODY></HTML> Thu, 09 Feb 2012 22:46:04 GMT rmonvon 2012-02-09T22:46:04Z https://live.paloaltonetworks.com/t5/general-topics/still-no-way-to-set-specific-threat-exceptions/m-p/20202#M14697 <HTML><HEAD></HEAD><BODY><P>I created this thread over a year ago...</P><P></P><P><A class="jive-link-external-small" href="https://live.paloaltonetworks.com/message/3636#3636">https://live.paloaltonetworks.com/message/3636#3636</A></P><P></P><P>...is there still no more intuitive way to be more granular when it comes to creating threat exceptions? I'm still having the same problem I report at the bottom of that thread.&nbsp; For example...</P><P></P><P>I need to create a rule to ignore Threat ID 12345.&nbsp; If I use these rule settings...</P><P>Rule Name = Exception-12345</P><P>Source = Internal Address Space</P><P>Destination = Any</P><P>Application = web-browsing</P><P>Service = service-http</P><P>Profile = Vulnerability profile with exception for Threat ID 12345</P><P></P><P>...then it would successfully ignore threat 12345, but ANYTHING else that meets these rule requirements(even if it has nothing to do with Threat ID 12345)will be logged as this rule(Exception-12345) in the traffic log.</P></BODY></HTML> Thu, 09 Feb 2012 15:08:07 GMT https://live.paloaltonetworks.com/t5/general-topics/still-no-way-to-set-specific-threat-exceptions/m-p/20202#M14697 jambulo 2012-02-09T15:08:07Z https://live.paloaltonetworks.com/t5/general-topics/still-no-way-to-set-specific-threat-exceptions/m-p/20203#M14698 <HTML><HEAD></HEAD><BODY><P>Which answer did the sales rep return to you regarding this?</P><P></P><P>What do you mean that it will be logged in the traffic log?</P><P></P><P>You didnt setup a log entry for this rule?</P><P></P><P>Then if you use default for the other threats then its depends on how each threat is setup in the threat db if it should just alert (just log) or deny (block and log). Given that you get a hit for the other threats that is...</P></BODY></HTML> Thu, 09 Feb 2012 16:54:17 GMT https://live.paloaltonetworks.com/t5/general-topics/still-no-way-to-set-specific-threat-exceptions/m-p/20203#M14698 mikand 2012-02-09T16:54:17Z https://live.paloaltonetworks.com/t5/general-topics/still-no-way-to-set-specific-threat-exceptions/m-p/20204#M14699 <HTML><HEAD></HEAD><BODY><P>To simplify my question...Is there a way to create Threat Exceptions for a specific source and/or destination IP?&nbsp; Currently, the only way to create an Exception is to completely ignore the threat.&nbsp; No matter what source or destination.</P><P></P><P>Now, I am able to create a rule in the Security Policy called "Ignore ID 12345".&nbsp; The rule has this settings, traffic from source 192.168.1.10 going to destination ANY, using Application "web-browsing", and using a Vulnerability Profile that has an Exception for Threat ID 12345.</P><P>This rule will not log any Threats with ID 12345 if it's coming from 192.168.1.10 going on ANY, using "web-browsing".</P><P></P><P>The problem, ANY OTHER traffic coming from 192.168.1.10 going to ANY, using "web-browsing" will show up in the Traffic Log as using rule "Ignore ID 12345", even if it has nothing to do with the Threat ID 12345.</P></BODY></HTML> Thu, 09 Feb 2012 21:37:33 GMT https://live.paloaltonetworks.com/t5/general-topics/still-no-way-to-set-specific-threat-exceptions/m-p/20204#M14699 jambulo 2012-02-09T21:37:33Z https://live.paloaltonetworks.com/t5/general-topics/still-no-way-to-set-specific-threat-exceptions/m-p/20205#M14700 <HTML><HEAD></HEAD><BODY><P>Hi...The traffic log is recording traffic events while the threat log is recording threat events.&nbsp; If there is traffic (regardless if the threat is present or not) then it is recorded in the traffic log.&nbsp; You are viewing the traffic log hence you're seeing the traffic activity.&nbsp; The threat log should not register the event with threat ID 12345 because it is being ingored.</P><P></P><P>How about changing the rule name from "Ignore ID 12345" to ""Scan all, Ignore ID 12345"?</P><P></P><P>Thanks.</P></BODY></HTML> Thu, 09 Feb 2012 22:46:04 GMT https://live.paloaltonetworks.com/t5/general-topics/still-no-way-to-set-specific-threat-exceptions/m-p/20205#M14700 rmonvon 2012-02-09T22:46:04Z https://live.paloaltonetworks.com/t5/general-topics/still-no-way-to-set-specific-threat-exceptions/m-p/20206#M14701 <HTML><HEAD></HEAD><BODY><P>You can create a custom threatpolicy (that you can group with other custom or default settings into a profile group).</P><P></P><P>This custom threatpolicy (or the whole profile group) can then be applied for your traffic to/from a specific ip-address or such.</P><P></P><P>Since the ruleset in PAN is top-down first-match you can set it up as:</P><P></P><P>rule1: srcip=x.x.x.x, threatprofile=ALL_BUT_12345<BR />rule2: srcip=any, threatprofile=default</P></BODY></HTML> Fri, 10 Feb 2012 07:57:28 GMT https://live.paloaltonetworks.com/t5/general-topics/still-no-way-to-set-specific-threat-exceptions/m-p/20206#M14701 mikand 2012-02-10T07:57:28Z