https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/148870#M49670 <P>Sorry, should have elaborated on that part. By critical traffic I meant critical threats. Planning on doing that in the profiles.</P> Wed, 22 Mar 2017 13:53:22 GMT TLineberry 2017-03-22T13:53:22Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/148843#M49662 <P>Hi, I'm trying to create a security policy that would block all critical traffic from source zone&nbsp;"A", to destination zone "B". However, I want to allow traffic from a specific IP in zone "A". How can I make an exception to allow that IP? I assume I could create a policy to allow that IP and then one below it block traffic from that zone but I would prefer not to do that- feel like it could be error prone, etc.</P><P>&nbsp;</P><P>Thank you!</P> Wed, 22 Mar 2017 13:28:47 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/148843#M49662 TLineberry 2017-03-22T13:28:47Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/148868#M49669 <P>Hmm, define 'critical traffic'. Applications with high risk? Critical events from some security profile?</P><P>&nbsp;</P> Wed, 22 Mar 2017 13:51:01 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/148868#M49669 santonic 2017-03-22T13:51:01Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/148870#M49670 <P>Sorry, should have elaborated on that part. By critical traffic I meant critical threats. Planning on doing that in the profiles.</P> Wed, 22 Mar 2017 13:53:22 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/148870#M49670 TLineberry 2017-03-22T13:53:22Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/148874#M49671 <P>I would suggest blocking at least critical events on all traffic, but ok.</P><P>&nbsp;</P><P>Yeah, you have to make a rule for that specific IP first with security profile set to alert (or no security profile).</P><P>After that rule you make a rule from zone A to B with blocking security profile.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 22 Mar 2017 14:07:35 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/148874#M49671 santonic 2017-03-22T14:07:35Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/148879#M49673 <P>for a single or a few threats you can add an IP exception in the vulnerability protection profile in the exceptions tab, but if you want to exclude an ip from all scanning it's better to create a new rule with a different (alert all) profile</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="exception.png"><img src="https://live.paloaltonetworks.com/skins/images/EAF30C9A5814E020FF754681AA726920/responsive_peak/images/image_not_found.png" alt="exception.png" /></span></P> Wed, 22 Mar 2017 14:22:27 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/148879#M49673 reaper 2017-03-22T14:22:27Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/148885#M49678 <P>Ohh, didn't know about 'ip exemptions' query so far.</P> Wed, 22 Mar 2017 14:29:48 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/148885#M49678 santonic 2017-03-22T14:29:48Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/148887#M49679 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/10238">@santonic</a> wrote:<BR /> <P>Ohh, didn't know about 'ip exemptions' query so far.</P> <HR /></BLOCKQUOTE> <P>bonus: you can also add IP exceptions (or policy exceptions) directly from the threat log:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="exception log.png"><img src="https://live.paloaltonetworks.com/skins/images/EAF30C9A5814E020FF754681AA726920/responsive_peak/images/image_not_found.png" alt="exception log.png" /></span></P> Wed, 22 Mar 2017 14:33:19 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/148887#M49679 reaper 2017-03-22T14:33:19Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/148989#M49707 <P>We do block all critical events already, just trying to get a better idea of some things and using a policy for it. I appreciate the help. I think my only option is creating two separate rules.</P> Wed, 22 Mar 2017 18:58:07 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/148989#M49707 TLineberry 2017-03-22T18:58:07Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/149304#M49769 <P>Hi TLineberry,</P><P>&nbsp;</P><P>Use the 'Negate' option.</P><P>&nbsp;</P><P>Create a rule which allows the traffic rule like this:</P><P>Source Zone = A</P><P>Source address = the ones you want to allow AND check the box for 'Negate'</P><P>Destination Zone = B</P><P>Destination Zone = Allow</P><P>Application/Service/Security profile = your choice</P><P>Action = Allow</P><P>&nbsp;</P><P>The unwanted IPs would hit the interzone rule, IFF they don't happen to match some other rule.</P><P>&nbsp;</P><P>Hope that helps.</P><P>&nbsp;</P><P>Regards,</P><P>Anurag</P> Fri, 24 Mar 2017 06:11:58 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/149304#M49769 ansharma 2017-03-24T06:11:58Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/149678#M49822 <P>This is exactly what I'm looking for. Thank you!!</P> Mon, 27 Mar 2017 14:55:57 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception-question/m-p/149678#M49822 TLineberry 2017-03-27T14:55:57Z