Vulnerability Exception Based Upon Source and Destination IP Address to change the default behavior

Vulnerability Exception Based Upon Source and Destination IP Address to change the default behavior

84340
Created On 09/25/18 20:34 PM - Last Modified 04/10/24 12:26 PM


Symptom


Sometimes you want to modify the default action only for a few trusted IP addresses, and the rest of the traffic follows the default behavior.  

Environment


All PAN-OS

Cause


 Legitimate traffic is identified as vulnerable only for trusted IPs.

Resolution


Details

Creating a vulnerability exception will add a particular exemption for all the traffic specified on the security rule, this will function globally for all the IP addresses specified in the subnet called under that rule. However, it is also possible to make this exemption exempt only for one particular source and one particular destination of the subnet called in the security rule.

 

Use the IP Address Exemptions column to add IP address filters to a threat exception. If IP addresses are added to a threat exception, the threat exception action for that signature will only be taken over the rule's action if the signature is triggered by a session having either the source or destination IP matching an IP in the exception. In simple words, If you want to do IP exemption any traffic with that IP as source or destination will have the exception, and everything else will fire. 

 

Steps

1. Inside of the WebGUI, go to Objects > Security Profiles > Vulnerability Protection > click on the Exceptions tab, ensure the "Show all signatures" is checked and enter the Threat ID and click Enable. Click on the "IP Address Exemption" column to add both the Source and Destination IP addresses to be exempted on the exception list.

4.JPG

 

2. After specifying the Source and the Destination IP address, the Palo Alto Networks firewall will still be able to exempt based upon the Source IP address 200.1.1.10.  In order to track the destination, specify the action as "Block IP" by clicking on the "Action" column and selecting "IP source and destination" for tracking, also specify the time interval.

3.JPG

 

3. Now the firewall will be able to look into both the Source and Destination IP address for exemption, and if either the Source or the Destination IP address is there in the exception list, then the rule will block the traffic for 3600 seconds.

 

For more information on configuring exceptions, please see:

How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats

 

 

owner: dantony
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhcCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language