https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-ip-exception/m-p/350289#M86951 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/128760">@lee.curtis</a>,</P> <P>As&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/129900">@Abdul-Fattah</a>&nbsp; alluded to, you're going to want to build a separate security rulebase entry to allow the traffic. You can programmatically add an exception relatively easy, but it is simply just building an IP address exception for each signature. Just build out a new security rulebase entry and remove it when the penetration test is done.&nbsp;</P> Fri, 18 Sep 2020 04:00:15 GMT BPry 2020-09-18T04:00:15Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-ip-exception/m-p/350237#M86942 <P>We have our regular penetration tests coming up and we need to allow the IP addresses that are doing the testing to scan our network. Is there a way to create an IP based vulnerability protection exception? I know how to create an exception for a specific threat, but is there a way to allow a specific IP or set of IPs through the vulnerability protection without allowing everyone through?</P> Thu, 17 Sep 2020 22:12:13 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-ip-exception/m-p/350237#M86942 lee.curtis 2020-09-17T22:12:13Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-ip-exception/m-p/350250#M86943 <P>Is there a reason why u do not want to use separate security Policy to allow what you want, for these IPs !?</P> Thu, 17 Sep 2020 23:03:34 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-ip-exception/m-p/350250#M86943 Abdul-Fattah 2020-09-17T23:03:34Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-ip-exception/m-p/350289#M86951 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/128760">@lee.curtis</a>,</P> <P>As&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/129900">@Abdul-Fattah</a>&nbsp; alluded to, you're going to want to build a separate security rulebase entry to allow the traffic. You can programmatically add an exception relatively easy, but it is simply just building an IP address exception for each signature. Just build out a new security rulebase entry and remove it when the penetration test is done.&nbsp;</P> Fri, 18 Sep 2020 04:00:15 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-ip-exception/m-p/350289#M86951 BPry 2020-09-18T04:00:15Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-ip-exception/m-p/350739#M86992 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/128760">@lee.curtis</a>&nbsp;</P> <P>&nbsp;</P> <P>We do this regularly in our network where External Vendors do Pen test against our public facing applications.</P> <P>You will need security rule with source as Vendor Public IP and destination will be your External Interface public IP.</P> <P>For this security normally we do all security profiles as none and once Pen Testing is done then rule can be removed.</P> <P>&nbsp;</P> <P>Regards</P> <P>&nbsp;</P> Sun, 20 Sep 2020 23:25:20 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-ip-exception/m-p/350739#M86992 MP18 2020-09-20T23:25:20Z