Is there a way to create a vulnerability exception for an IP address for ALL threats?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Is there a way to create a vulnerability exception for an IP address for ALL threats?

L0 Member

We have a server that runs vulnerability scans that I would like to white-list against ALL threats... Is there an easy way to do this?

Thanks

3 REPLIES 3

L3 Networker

For specific vulnerabilities, you can create an exception.

Add a Vulnerability Exception Specifically Based Upon Source and Destination IP Address

https://live.paloaltonetworks.com/docs/DOC-7907

But if you want to white-list one particular IP against all vulnerabilities, the only way is to create a security policy for that specific IP address without security profiles (keep this policy on TOP)

Regards,

Rahul Singh

Two options

1. Configure the security profiles for the server's security policy to be alert only on all levels (useful for comparison purposes between the Palo Alto Networks firewall and the server outputs)

2. Configure no security profiles for the server's security policy.

Configuring exceptions for all current signatures would require updating each time that new signatures are released. This is double edged in that it would be more work to keep up to date, but would also create greater familiarity with the current list of signatures on the firewall

James Costello
Global Solutions Architect, NGFW
Palo Alto Networks

L0 Member

Try to add a new security policy at the top of your rule base without any Vulnerability Protection, Anti-Spyware and Antivirus profiles. Just use the scanner's IP in the source field of the new rule and add all destination zones and addresses you wish to scan. Ideally you place the VA-scanner in a separate zone without any zone protection enabled.

  • 6596 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!