Add a Vulnerability Exception to block, Specifically Based Upon Source and Destination IP Address

Printer Friendly Page


Creating a vulnerability exception will add a particular exemption for all the traffic specified on the security rule, this will function globally for all the IP addresses specified in the subnet called under that rule. However, it is also possible to make this exemption to specifically exempt only for one particular source and one particular destination of the subnet called in the security rule.


Use the IP Address Exemptions column to add IP address filters to a threat exception. If IP addresses are added to a threat exception, the threat exception action for that signature will only be taken over the rule's action if the signature is triggered by a session having either the source or destination IP matching an IP in the exception. 



1. Inside of the WebGUI, go to Objects > Security Profiles > Vulnerability Protection > click on the Exceptions tab and enter the Threat ID and click Enable. Give both the Source and Destination IP addresses to be exempted on the exception list.



2. After specifying the Source and the Destination IP address, the Palo Alto Networks firewall will still be able to exempt based upon the Source IP address  In order to track the destination, specify the action as block IP and specify both the Source and Destination IP address for tracking, also specify the time interval.



3. Now the firewall will be able to look into both the Source and Destination IP address for exemption, and if either the Source or the Destination IP address is there in the exception list, then the rule will block the traffic for 3600 seconds.


For more information on configuring exceptions, please see:

How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats



owner: dantony


I wanted something to allow exceptions for certain IP source and destination, not block them.

Just wanted to allow certain IP source or destionation, is it available in exception option ?

@j.bronson and @zgwei

When you create an exception, then that is what it means, it will allow.


Per the article:

"By default, the Palo Alto Networks firewall reads the Source IP address in the IP Address exemptions list and then bypasses the configured action for that particular rule"


Does that make sense?

@jdelio It does make sense, but when I put the IPs I want exempt in, enable the rule, I expect them to just be allowed vs the default action we are using of alert.  Or is alert the default "allow" action?


Once you place those IP's in the "excemption" area, and then into the security rule, when those IP's hit that rule, they will not even be subject to that one protection, because they are "excempt". They will have all other protections, just not the one they are excluded from. 


   - When you create an exception, then that is what it means, it will allow.

Then, what is about this artical, where it said you should specify allow acction at the end of the the threat profile in step 5

 - "Dismiss the IP Address Exemptions dialogue box and the click default (reset-both) under Action.  Change the action to allow:"


In my case PanOS 7.1.x when the IP exempt is used and the acction for this signature is block, it would be blocked.. it seems like does not work the way I beliave it was meant for (as per my undanstanding as per your comments, --When you create an exception, then that is what it means, it will allow--- )

@Yuri_Weksler, this is a silly question, but did you actually click the "Enable" checkbox for this protection? 

These instructions are being re-written now with better pictures.

@jdelio Hi, and thanks for following on this, I did definitely enable the checkbox while editing this signature 'Exemption IP' field.
Again, in my case the exemption would work only, if I do 'allow' action choosed with the IP in the exemption list, if the action is 'block' it would be blocked, and does not matter if the IP is in the exemption list.

@Yuri_Weksler, Interesting.. So, if I am following correctly:

- You have this exception enabled.

- You have added an IP in the exemption list

- Traffic will be blocked, unless it is "allow", but this is for all traffic, not just what you have entered for the exemption?


If this is all true, then I will have to suggest to contact support, and have them look at this with you.

I will, thanks.