How to create a vulnerability exception

by rcole on ‎01-27-2016 02:11 PM - edited on ‎02-24-2017 03:49 PM by (24,558 Views)

Overview 

You may wish to alter the action taken for a vulnerability signature trigger for one single signature in one vulnerability protection object. Please see below for instructions.

 

For more information on all of the exceptions, and how to use them, please visit this article:

How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats

 

Steps

  1. Log into the webGUI of your PAN-OS appliance.
  2. Navigate to the Objects tab.navigation bar.pngUsing the navigation menu on the left, select Security Profiles > Vulnerability Protection.security profiles.png
  3. Under the name column in the window on the right, select the Vulnerability Protection object you wish to edit the signature in by clicking on the name. Please note that the default and strict policies, which come default with PAN-OS, cannot be changed and must be cloned first.vulnerbility protection profile.png
  4. Select the Exceptions tab.
  5. Check the show all signatures box.
  6. Search for the threat ID number (or name).
  7. Change the action you wish for the signature to take.
  8. Check the enable box.exceptions.png
  9. Click OK!
  10. Commit the changes.

 

After this is done, every signature in that profile should continue taking the assigned default actions, except for the one you just altered. In this instance, signature 30419 now has an action of ALLOW for any security rules this vulnerability profile is assigned.

 

Note:  Certain vulnerabilities, typically brute-force related, can have their thresholds changed with vulnerabilty exception:

attributes.png

 

 

 

Note: In the case that you need to collect extended captures in order to report false positive, please follow this article.

Comments
by guhu30
on ‎12-29-2017 06:01 AM

Hi,

 

I have a question. i need to add a vulnerability exception for a all /23 subnet. 

When i try to add this exception, i have an error. I can't define a subnet in an exception.

 

Am I obliged to define ip one by one?

 

Kind regards

 

Guillaume HUGUES

by AnkitPatel
4 weeks ago

we have same issues, how can we apply IPS policy exception for subnets? 

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community