07-06-2017 08:40 PM
We have created a custom app id for internal only traffic that is currently generating false positives in our vulnerability scanning.
We ideally would like to stop this particular app-id from being scanned for vulnerabilites or at least a specific vulnerability. Unfortunately I've found no way to create an exception based on ID.
Application Override would suit us but from the documentation, I gather the signature of the app isn't processed and only the criterea specified in the override. We often seem to look at creating exceptions but the options for this at least appear to me to be too non-specific.
Can someone provide some insight?
07-08-2017 11:21 AM
After you create the custom app, and the application override policy, you can create a security policy.
In the security policy, you will specify the custom application you just created, but you will not apply any security profile. This will avoid the application from being scanned by the IPS engine. Remeber that you can be selective, and apply other profiles if you need too.
Since it is an internal application, and you seem to trust it, if performance is an issue, I would create this security policy with the DSRI feature in disabled state.
A session on the firewall comprises two flows, client to server and server to client. The DSRI feature on the Palo Alto Networks firewall can be enabled to skip the inspection of the Server to Client flow.
I hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!