https://live.paloaltonetworks.com/t5/general-topics/40031-threat-exception/m-p/343663#M86015 <P>What I am wanting to know is if I can add a range of IP addresses to a vulnerability exception.</P><P>This would be&nbsp;the entire 1-254 range, rather than 1 IP address at a time.</P><P>&nbsp;</P><P>I have already checked the links below and they talk about adding&nbsp;IP addresses one at a time as an exemption.</P><P>Rather than allowing the vulnerability for the entire site, I would like to allow it for 192.168.1.0/24 for example.</P><P>&nbsp;</P><DIV><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm60CAC" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm60CAC</A></DIV><DIV>&nbsp;</DIV><DIV><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhcCAC" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhcCAC</A></DIV><DIV>&nbsp;</DIV> Thu, 13 Aug 2020 05:50:49 GMT FarzanaMustafa 2020-08-13T05:50:49Z https://live.paloaltonetworks.com/t5/general-topics/40031-threat-exception/m-p/343663#M86015 <P>What I am wanting to know is if I can add a range of IP addresses to a vulnerability exception.</P><P>This would be&nbsp;the entire 1-254 range, rather than 1 IP address at a time.</P><P>&nbsp;</P><P>I have already checked the links below and they talk about adding&nbsp;IP addresses one at a time as an exemption.</P><P>Rather than allowing the vulnerability for the entire site, I would like to allow it for 192.168.1.0/24 for example.</P><P>&nbsp;</P><DIV><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm60CAC" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm60CAC</A></DIV><DIV>&nbsp;</DIV><DIV><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhcCAC" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhcCAC</A></DIV><DIV>&nbsp;</DIV> Thu, 13 Aug 2020 05:50:49 GMT https://live.paloaltonetworks.com/t5/general-topics/40031-threat-exception/m-p/343663#M86015 FarzanaMustafa 2020-08-13T05:50:49Z https://live.paloaltonetworks.com/t5/general-topics/40031-threat-exception/m-p/343741#M86034 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/98673">@FarzanaMustafa</a>&nbsp;</P><P>&nbsp;</P><P>Currently exemption is allowed only for single ip address not a subnet. Suggesting a workaround,</P><P>1)Clone the vulnerability profile and create the exemption ( without ipaddress)&nbsp;</P><P>2)create a new security policy with desired range, subnet as source and assign the new vulnerability profile ( cloned one).</P><P>Hope it helps.</P><P>&nbsp;</P><P>Thanks,</P><P>Ram</P> Thu, 13 Aug 2020 14:31:50 GMT https://live.paloaltonetworks.com/t5/general-topics/40031-threat-exception/m-p/343741#M86034 RamprakashRT 2020-08-13T14:31:50Z https://live.paloaltonetworks.com/t5/general-topics/40031-threat-exception/m-p/343985#M86078 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/98673">@FarzanaMustafa</a>,</P> <P>The profile duplication and a new security rulebase entry is the best option as&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/148784">@RamprakashRT</a>&nbsp;already mentioned if you are creating an exception for an entire subnet. I would really look at if you actually require an exception for an entire subnet though. Are you running into a false positive detection?&nbsp;</P> Sat, 15 Aug 2020 03:38:26 GMT https://live.paloaltonetworks.com/t5/general-topics/40031-threat-exception/m-p/343985#M86078 BPry 2020-08-15T03:38:26Z