Cannot change action for special Threat ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cannot change action for special Threat ID

L0 Member

On our 5410 with PANOS 10.2.7-h3 installed I can see a lot of threats with ID 89953 (Inline Cloud Analyzed Unknown-TCP Command and Control Traffic Detection), severity = high, default action = alert.

I want to change the default action via Anti-Spyware-Profile > Inline Cloud Analysis, but it's not possible for this special threat.

Any idea how to change this?

 

Thx in advance

Thomas

3 REPLIES 3

L4 Transporter

You arent able to change the predefined security profiles if youre trying to change it from there. You would have to clone the profile and edit it there.

 

The threat ID is for this entirely, if you wanted to disable this you could set the action to alert. However, down below if where you can set specific exceptions for the threat. 

 

Claw4609_0-1706128459203.png

 

L0 Member

Sure, I've always been using a custom profile and all actions within "Inline Cloud Analysis" are set to "reset-both".

 

Cloud analysis.JPG

 

What I've found out in the meantime:

In some rare cases threat IDs within the range 89950-89953 are blocked.

No idea why...

And I still want to block all those threats.

 

Threat-8995x.JPG

Just to clarify, are you wanting to block or allow threat IDs 89950-89953? While I dont have much of this traffic being flagged in my environment, its possible that this operates similar to Wildfire, and it initially alerts/allows the traffic before the cloud comes back and says no for future connections.

  • 251 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!