https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-exceptions/m-p/49162#M36227 <HTML><HEAD></HEAD><BODY><P>I didn't test it myself but I'd say that would work as well. The firewall processes the security rules from top to bottom until a match is found. So if the new security rule above the old one is a match it would allow it and alert it in the Threat log.</P></BODY></HTML> Fri, 15 Feb 2013 11:04:09 GMT oschuler 2013-02-15T11:04:09Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-exceptions/m-p/49158#M36223 <HTML><HEAD></HEAD><BODY><P>Dear all,</P><P></P><P>We've got one, okay, two little questions on the configuration of vulnerability protection:</P><P></P><P>Assuming we have a security policy configured with the pre-defined vulnerability protection profile named "strict". From that policy we're getting "LDAP: User Login Brute-force Attempt" (ID 40'005, severity high) log entries from time to time. The action is to drop all packets (because of the rule in place to block all critical, high and medium rated threats). </P><P></P><P>The queries are legitimate and we'd like to tweak the timing attributes for that specific threat ID. Now the first question is: What happens if we just change the timing values on that threat ID using the little pencil icon <STRONG>without</STRONG> enabling the exception using the "Enable" check box in the first column? Will the new timing values be applied or is it mandatory to also check the Enable checkbox for the change to take effect?</P><P></P><P>The second question (just to be sure): What action is applied if we'd enable this threat ID in the exceptions tab? Is it correct that the default action for threat ID 40005 (which is set to alert only) would be applied?.</P><P></P><P>Thanks for any clarification.</P><P></P><P>Regards,</P><P>Oliver</P></BODY></HTML> Thu, 14 Feb 2013 19:42:09 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-exceptions/m-p/49158#M36223 oschuler 2013-02-14T19:42:09Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-exceptions/m-p/49159#M36224 <HTML><HEAD></HEAD><BODY><P>Oliver,</P><P></P><P>When you modify the vulnerability settings, you will need to use the <SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">"Enable" check box</SPAN>. If you don't, the changes you made will not take effect. </P><P></P><P>As for your second question, when you enable the threat in the exceptions tab, the action defined on this signature will be used. In this case, alert.</P><P></P><P>Thanks,</P><P>Sri</P></BODY></HTML> Thu, 14 Feb 2013 19:45:35 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-exceptions/m-p/49159#M36224 zarina 2013-02-14T19:45:35Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-exceptions/m-p/49160#M36225 <HTML><HEAD></HEAD><BODY><P>Thank you very much for your very quick reply. </P></BODY></HTML> Thu, 14 Feb 2013 19:47:47 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-exceptions/m-p/49160#M36225 oschuler 2013-02-14T19:47:47Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-exceptions/m-p/49161#M36226 <HTML><HEAD></HEAD><BODY><P>As another workaround wouldnt it be possible to create an IPS profile which only contains this threat where you force it to alert (in case the default for the threat is block) and then in the security policy setup a new rule above the current one but with only the particular src/dstip which then uses this new IPS profile to bypass the check?</P><P></P><P>I mean in a situation where:</P><P></P><P>- The threat in question has block as default (but you want it to alert).</P><P>- At the same time as you only want to change this for a particular flow.</P></BODY></HTML> Fri, 15 Feb 2013 08:47:38 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-exceptions/m-p/49161#M36226 mikand 2013-02-15T08:47:38Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-exceptions/m-p/49162#M36227 <HTML><HEAD></HEAD><BODY><P>I didn't test it myself but I'd say that would work as well. The firewall processes the security rules from top to bottom until a match is found. So if the new security rule above the old one is a match it would allow it and alert it in the Threat log.</P></BODY></HTML> Fri, 15 Feb 2013 11:04:09 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-exceptions/m-p/49162#M36227 oschuler 2013-02-15T11:04:09Z