02-09-2012 07:08 AM
I created this thread over a year ago...
https://live.paloaltonetworks.com/message/3636#3636
...is there still no more intuitive way to be more granular when it comes to creating threat exceptions? I'm still having the same problem I report at the bottom of that thread. For example...
I need to create a rule to ignore Threat ID 12345. If I use these rule settings...
Rule Name = Exception-12345
Source = Internal Address Space
Destination = Any
Application = web-browsing
Service = service-http
Profile = Vulnerability profile with exception for Threat ID 12345
...then it would successfully ignore threat 12345, but ANYTHING else that meets these rule requirements(even if it has nothing to do with Threat ID 12345)will be logged as this rule(Exception-12345) in the traffic log.
02-09-2012 08:54 AM
Which answer did the sales rep return to you regarding this?
What do you mean that it will be logged in the traffic log?
You didnt setup a log entry for this rule?
Then if you use default for the other threats then its depends on how each threat is setup in the threat db if it should just alert (just log) or deny (block and log). Given that you get a hit for the other threats that is...
02-09-2012 01:37 PM
To simplify my question...Is there a way to create Threat Exceptions for a specific source and/or destination IP? Currently, the only way to create an Exception is to completely ignore the threat. No matter what source or destination.
Now, I am able to create a rule in the Security Policy called "Ignore ID 12345". The rule has this settings, traffic from source 192.168.1.10 going to destination ANY, using Application "web-browsing", and using a Vulnerability Profile that has an Exception for Threat ID 12345.
This rule will not log any Threats with ID 12345 if it's coming from 192.168.1.10 going on ANY, using "web-browsing".
The problem, ANY OTHER traffic coming from 192.168.1.10 going to ANY, using "web-browsing" will show up in the Traffic Log as using rule "Ignore ID 12345", even if it has nothing to do with the Threat ID 12345.
02-09-2012 02:46 PM
Hi...The traffic log is recording traffic events while the threat log is recording threat events. If there is traffic (regardless if the threat is present or not) then it is recorded in the traffic log. You are viewing the traffic log hence you're seeing the traffic activity. The threat log should not register the event with threat ID 12345 because it is being ingored.
How about changing the rule name from "Ignore ID 12345" to ""Scan all, Ignore ID 12345"?
Thanks.
02-09-2012 11:57 PM
You can create a custom threatpolicy (that you can group with other custom or default settings into a profile group).
This custom threatpolicy (or the whole profile group) can then be applied for your traffic to/from a specific ip-address or such.
Since the ruleset in PAN is top-down first-match you can set it up as:
rule1: srcip=x.x.x.x, threatprofile=ALL_BUT_12345
rule2: srcip=any, threatprofile=default
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
