https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47753#M35120 <HTML><HEAD></HEAD><BODY><P>Karthik,</P><P>&nbsp; Thanks for the response. I think what I am struggling with is that if I create the new security rule that for instance looks at all traffic inbound from the untrusted to the trusted zone with a vulnerability profile set as you suggest then all the inbound traffic will follow the action of this rule (allow or deny) without regard to whether the traffic did or did not have the vulnerability and because of that the traffic will never fall through to the follow-up rule that checked for the other vulnerabilities.</P><P></P><P>My understanding is that if the traffic matches (source, destination, application, service, user) then the traffic does not get processed by follow-up rules no matter what is or is not set in the security profiles.Is this incorrect?</P><P></P><P>Thanks,</P><P>Jim.</P></BODY></HTML> Fri, 26 Jul 2013 19:15:03 GMT jmayne 2013-07-26T19:15:03Z https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47751#M35118 <HTML><HEAD></HEAD><BODY><P>I am looking for a way to send an email alert when a specific vulnerability threat occurs but I am stumped. I can define the email in the log notification but I cannot figure out how to use it. In a security rule I cannot specify the specific vulnerability I want this log notification applied to and I cannot create a security rule that applies to just one vulnerability without evaluating all the other traffic that matches the traffic criteria as well. </P><P></P><P>Can anyone suggest a way to send an email alert when a specific threat occurs either using the PS device or Panorama?</P><P></P><P>Thanks,</P><P>Jim</P></BODY></HTML> Fri, 26 Jul 2013 13:47:38 GMT https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47751#M35118 jmayne 2013-07-26T13:47:38Z https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47752#M35119 <HTML><HEAD></HEAD><BODY><P>Hi jmayne,</P><P>If you are looking for emailing just one vulnerability threat events, you can create a new vulnerability profile for that threat ID, as shown in the screen shot below</P><P><IMG alt="cve-30003.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7448_cve-30003.JPG" width="450" /></P><P></P><P>Then use this profile under the security rule for which the traffic will flow through. Bear in mind that you should have a similar security policy below this rule , having a vulnerability profile that checks for the rest of the vulnerability signatures, so that you do not skip checking the other malicious traffic.</P><P></P><P>Create a new log forwarding profile and select the email server that we have configured </P><P></P><P><IMG alt="log forwarding profile.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7449_log forwarding profile.JPG" width="450" /></P><P></P><P></P><P>Use this log forwarding profile under the first security policy that we created</P><P></P><P><IMG alt="threat-policy.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7450_threat-policy.JPG" width="450" /></P><P></P><P></P><P>Hope this helps,</P><P></P><P>BR,</P><P>Karthik</P></BODY></HTML> Fri, 26 Jul 2013 14:57:13 GMT https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47752#M35119 kprakash 2013-07-26T14:57:13Z https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47753#M35120 <HTML><HEAD></HEAD><BODY><P>Karthik,</P><P>&nbsp; Thanks for the response. I think what I am struggling with is that if I create the new security rule that for instance looks at all traffic inbound from the untrusted to the trusted zone with a vulnerability profile set as you suggest then all the inbound traffic will follow the action of this rule (allow or deny) without regard to whether the traffic did or did not have the vulnerability and because of that the traffic will never fall through to the follow-up rule that checked for the other vulnerabilities.</P><P></P><P>My understanding is that if the traffic matches (source, destination, application, service, user) then the traffic does not get processed by follow-up rules no matter what is or is not set in the security profiles.Is this incorrect?</P><P></P><P>Thanks,</P><P>Jim.</P></BODY></HTML> Fri, 26 Jul 2013 19:15:03 GMT https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47753#M35120 jmayne 2013-07-26T19:15:03Z https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47754#M35121 <HTML><HEAD></HEAD><BODY><P>Hi Jim,</P><P>Yes, you were right about the fact that the PANFW wouldnt check for other vulnerabilities. My Bad <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P>We dont have a way of specifying a particular threat event for which the PANFW should forward the email notification for. As a work around, you can create the log forwarding profile with the email server settings and apply it to the policy, and we will email the notifications out to the mail server. You can limit the emails that are sent out, by selecting the severity of the threat. That way you are still sending out the email notifications, at the cost of sending extra email notifications of other threats as well ( which by the way is a good practice <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> )</P><P></P><P>BR,</P><P>Karthik </P></BODY></HTML> Fri, 26 Jul 2013 21:21:03 GMT https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47754#M35121 kprakash 2013-07-26T21:21:03Z https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47755#M35122 <HTML><HEAD></HEAD><BODY><P>On the other hand,</P><P>You can create a custom report and filter it out based on the threat id in question.</P><P></P><P><IMG __jive_id="7458" alt="threat 30002.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7458_threat 30002.JPG" width="450" /></P><P></P><P>You can then apply this custom report on a report group, and then use this report group under an email scheduler.</P><P></P><P><IMG __jive_id="7459" alt="email scheduler.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7459_email scheduler.JPG" width="450" /></P><P></P><P>The only caveat to this solution is that you will not get live emails when the vulnerability is hit (unlike when using the log forwarding profile mentioned above ), but atleast you can get email notifications everyday about the event when the vulnerability was detected on the firewall.</P><P></P><P>Does this help?</P><P></P><P>BR,</P><P>karthik</P></BODY></HTML> Fri, 26 Jul 2013 21:31:14 GMT https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47755#M35122 kprakash 2013-07-26T21:31:14Z https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47756#M35123 <HTML><HEAD></HEAD><BODY><P>I would setup log-forwarding (syslog), and then have the external syslog server parse the syslog messages looking for that specific threat ID.&nbsp; Then, configure the syslog server to send an e-mail when that threat ID is detected. </P></BODY></HTML> Fri, 26 Jul 2013 21:47:53 GMT https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47756#M35123 jvalentine 2013-07-26T21:47:53Z https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47757#M35124 <HTML><HEAD></HEAD><BODY><P>karthik,</P><P>&nbsp; I will try the workaround and I appreciate it. How can I ask for a feature request? Does PA have a page for that on the support site?</P><P></P><P>Thanks,</P><P>Jim</P></BODY></HTML> Fri, 26 Jul 2013 21:50:04 GMT https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47757#M35124 jmayne 2013-07-26T21:50:04Z https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47758#M35125 <HTML><HEAD></HEAD><BODY><P>Hi Jim,</P><P>For filing feature request you will need to get in touch with your local Sales Engineer. He will file it on your behalf.</P><P>Hope this helps.</P><P>Thanks</P><P>Numan</P></BODY></HTML> Fri, 26 Jul 2013 21:55:13 GMT https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47758#M35125 mbutt 2013-07-26T21:55:13Z https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47759#M35126 <HTML><HEAD></HEAD><BODY><P>Thanks everyone For your help.</P><P></P><P>JIm</P></BODY></HTML> Sat, 27 Jul 2013 01:11:57 GMT https://live.paloaltonetworks.com/t5/general-topics/email-alert-on-a-specific-vulnerability/m-p/47759#M35126 jmayne 2013-07-27T01:11:57Z