10-06-2017 01:48 PM
I see these alerts with same name and description, where as one is considered low and other as medium.
Why do they even have different ID's
10-24-2017 03:29 PM
They each have their own vulnerability signature, therefore a unique Threat ID. I see a total of 26 threats that are named "HTTP SQL Injection Attempt", 1-high, 23-medium, and 2-low in severity.
10-24-2017 03:29 PM
They each have their own vulnerability signature, therefore a unique Threat ID. I see a total of 26 threats that are named "HTTP SQL Injection Attempt", 1-high, 23-medium, and 2-low in severity.
10-30-2017 11:44 AM
So should blocking be done based on severity only?
10-30-2017 02:40 PM
I don't want to say based on severity "only", but for us it definitely helps simplify things so that everytime Palo Alto releases a new Threat ID we don't have to go configure a custom action for each one. We also don't feel comfortable using a default action of "alert" for a critical severity threat.
This is what we do... For critical, high, and medium threats we use "reset-both" action. For low threats we use "default" action (which uses the individual threat's action recommended by Palo Alto). For informational threats we use "allow" action. Then we use "exceptions" when we have a Threat ID we want configured differently than based on severity.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
