https://live.paloaltonetworks.com/t5/general-topics/excluding-threats-from-tap-allerting/m-p/216235#M62647 <P>Thanks,</P><P>&nbsp;</P><P>I am now not getting bombarded by unwanted alerts.</P><P>&nbsp;</P><P>Rob</P> Fri, 01 Jun 2018 09:17:38 GMT RobinClayton 2018-06-01T09:17:38Z https://live.paloaltonetworks.com/t5/general-topics/excluding-threats-from-tap-allerting/m-p/215290#M62480 <P>We have a TAP interface listening to a number of vlans (internal and external)</P><P>&nbsp;</P><P>We get a lot of noise in our allerts from threats we would prefer not to get alerted on.</P><P>&nbsp;</P><P>For example, presently "SipVicious"&nbsp; scans are occuring all the time to what are actually unused IP addresses on one VLAN.</P><P>&nbsp;</P><P>&nbsp;</P><P>How can we dial these out???</P><P>&nbsp;</P><P>Thanks</P><P><BR />Rob</P> Thu, 24 May 2018 07:54:29 GMT https://live.paloaltonetworks.com/t5/general-topics/excluding-threats-from-tap-allerting/m-p/215290#M62480 RobinClayton 2018-05-24T07:54:29Z https://live.paloaltonetworks.com/t5/general-topics/excluding-threats-from-tap-allerting/m-p/215360#M62489 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/71756">@RobinClayton</a>,</P><P>I imagine if you are using a TAP interface you are just in the process of actually getting all of this setup, and therefore likely using the default profiles. This will by default cause an alert to be generated, but if you use a profile other than the default you can actually build out an exclusion within the profile to ignore certain threats.&nbsp;</P><P>I would be slightly more concerned however that you are getting alerts for scans taking place on the tap interface. Have you properly investigated these and verified that there aren't actually scans taking place across your network for some reason? If it's a false positive then I would look at adding an exclusion into the profile if you truly want to just get rid of the alerts that are being generated.&nbsp;</P><P>Here's all of the IDs that you would need to exclude from a Spyware profile.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/15262i2C5E59E93D3B06B7/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture.PNG" alt="Capture.PNG" /></span></P> Thu, 24 May 2018 16:01:55 GMT https://live.paloaltonetworks.com/t5/general-topics/excluding-threats-from-tap-allerting/m-p/215360#M62489 BPry 2018-05-24T16:01:55Z https://live.paloaltonetworks.com/t5/general-topics/excluding-threats-from-tap-allerting/m-p/215480#M62498 <P>I do have Specific profiles for the Tap for (AV/AS/VP)</P><P>&nbsp;</P><P>And on the AS profile where SIPVicious can be found I have added an exclusion,</P><P>&nbsp;</P><P>So "SIPVicious" is on the Anti-Spyware profile, I have a exclusion for the "Audit-Tool" as that's the only one we see.</P><P>&nbsp;</P><P>But the alerts still come though.</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ips.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/15298iFB98F7EA833D7171/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="ips.jpg" alt="ips.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>This particular traffic is on the outside of the network, it's being picked up as there is an un-routed&nbsp;"VLAN" on one of the monitored switch ports.</P><P>&nbsp;</P><P>But we also get a lot of alerts generated because we run our own internal vulnerability scanner, so we generate our own false positive results.</P><P>&nbsp;</P><P>Rob</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 25 May 2018 08:27:39 GMT https://live.paloaltonetworks.com/t5/general-topics/excluding-threats-from-tap-allerting/m-p/215480#M62498 RobinClayton 2018-05-25T08:27:39Z https://live.paloaltonetworks.com/t5/general-topics/excluding-threats-from-tap-allerting/m-p/216107#M62619 <P>In this exception you have action 'drop'. That will always be logged. Change to allow in exception.</P> Thu, 31 May 2018 13:15:16 GMT https://live.paloaltonetworks.com/t5/general-topics/excluding-threats-from-tap-allerting/m-p/216107#M62619 santonic 2018-05-31T13:15:16Z https://live.paloaltonetworks.com/t5/general-topics/excluding-threats-from-tap-allerting/m-p/216117#M62625 <P>Ah right, will give that a go, althought the scans for that particular threat appear to have stopped now anyway.</P><P>&nbsp;</P><P>Cheers</P><P>&nbsp;</P><P>Rob</P> Thu, 31 May 2018 15:48:50 GMT https://live.paloaltonetworks.com/t5/general-topics/excluding-threats-from-tap-allerting/m-p/216117#M62625 RobinClayton 2018-05-31T15:48:50Z https://live.paloaltonetworks.com/t5/general-topics/excluding-threats-from-tap-allerting/m-p/216235#M62647 <P>Thanks,</P><P>&nbsp;</P><P>I am now not getting bombarded by unwanted alerts.</P><P>&nbsp;</P><P>Rob</P> Fri, 01 Jun 2018 09:17:38 GMT https://live.paloaltonetworks.com/t5/general-topics/excluding-threats-from-tap-allerting/m-p/216235#M62647 RobinClayton 2018-06-01T09:17:38Z