Steps to Change the Default Action for Signatures

by asaxena on ‎09-26-2014 01:40 PM - edited on ‎08-28-2015 09:07 AM by (13,727 Views)

Overview

This document describes the steps to change the default action for signatures.

 

Prerequisites

  1. Ensure that the most current content version is downloaded and installed.
    Go to Device > Dynamic Updates and click "Check now" at the bottom of the page to view latest updates. If not using the latest updates, then perform a download and install.
    Note: If the latest content version had not been downloaded or installed, log out and then log back into the GUI once this has been done.
  2. Ensure that a Vulnerability Profile has been created and is being used in applicable security policy rules.

 

Steps

  1. Go to Objects > Security Profiles > Vulnerability Protection and click the name of the profile used in the applicable security policy rules.
  2. Click the Exceptions tab.
  3. Check the "Show all signatures" checkbox at the bottom.
  4. Type xxxxx (signature_id) in the search box and hit <enter> or click the green arrow.
    Capture.JPG
  5. Click the checkbox next to the xxxxx signature to enable the exception, and change the action to whatever is desired (drop/alert/allow/block)
  6. Click OK
  7. Commit the changes

 

Once the changes are committed, the Palo Alto Networks firewall will perform the updated action for the the signatures.

 

See also:

How to Determine the Number of Threat Signatures on a Palo Alto Networks Firewall

How to Find Matching Signature for Vulnerabilities

 

owner: parmas

Comments
by HITSSEC
on ‎04-25-2015 01:46 PM

Keep in mind that the action change is only for that specific vulnerability profile and be aware of where that vulnerability profile is being used (outbound vs inbound) traffic flows.  Failure to understand where the profile is being used may result in unexpected consequences.

by KurtB
on ‎06-10-2015 01:29 PM

i take it this is only a "temporary" setting in that it's wiped out with the following weeks Applications and Threats file update?

by HITSSEC
on ‎06-10-2015 07:21 PM

Kurt,

The action change is there as long as you use the vulnerability profile. The only thing that would remove it would be:

a) PaloAlto removes the signature

b) You remove the exception response.

Vulnerable updates may change the trigger mechanism for the signature but the changed response (via the exception flag) remains intact. 

Hope this answers you question.

Phil

by MG
on ‎11-30-2015 08:32 PM

Hi,

 

What's happen if we check the "Enable" column ? Are the (default) action is changed ? 

In this document https://live.paloaltonetworks.com/t5/Threat-Articles/Changes-to-Default-Behavior-of-Vulnerability-ar... because as I know, default action is read only and can't change if we not enable exception.

And what happen if the exception is on with the default action change ?

by CBP-Network-Admin
‎10-11-2017 06:04 AM - edited ‎11-09-2017 08:21 AM

Would be helpful to be able to change the default severity of a signature.  For example - I might have a logging profile/setting that's configured to send an email or a syslog if a "high" or "critical" signature is matched.

 

I suppose I could filter alerts on my syslog server or SIEM by name/type, but would be nice to be able to change the severity of all C2 spyware signatures to "critical" in order to key off that.

by RPendela
on ‎10-25-2017 09:34 AM

Hello Team,

 

I am liitle confused here, 

If security profile action is reset-both and in the exceptions tab if I have exception default action as "Alert", which one take the action first?, I am sure profile action takes precedence than exception action. but jus want to confirm.Screen Shot 2017-10-25 at 11.26.42 AM.png

 

Screen Shot 2017-10-25 at 11.27.38 AM.png

 

by CBP-Network-Admin
‎11-09-2017 08:17 AM - edited ‎11-09-2017 08:22 AM

@RPendela

 

"I am sure profile action takes precedence than exception action. but jus want to confirm."

 

It's actually the opposite if an exception is defined and enabled - that's the idea behind an exception. 

 

The action in Rules section/tab for simple-high - "reset-both" - will  take precedence in your case.  If you'd like to override that action you'll need to create an exception an enable it (enable checkbox).  In your example the default action for ID 12098 is alert, so you'd just option the enable checkbox and click ok.

by RPendela
‎11-09-2017 08:27 AM - edited ‎11-09-2017 08:28 AM

@CBP-Network-Admin

 

Thanks for update, we both are in same boat, I want to block (reset-both) everything which fall in simple-high, in that case I don't need to select checkbox to apply any exceptions.

 

Bottom of the story untill you selcet the checkbox in exceptions, profile actions takes precedence.

 

 

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors