I don't want to say based on severity "only", but for us it definitely helps simplify things so that everytime Palo Alto releases a new Threat ID we don't have to go configure a custom action for each one. We also don't feel comfortable using a default action of "alert" for a critical severity threat.
This is what we do... For critical, high, and medium threats we use "reset-both" action. For low threats we use "default" action (which uses the individual threat's action recommended by Palo Alto). For informational threats we use "allow" action. Then we use "exceptions" when we have a Threat ID we want configured differently than based on severity.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!