About jambulo

Does not work.  The vulnerabilities in question are already set to "Alert" as its default Action.  BUT, it does not get forwarded because it has a non-configurable severity set to "Informational". skrall wrote: It looks like you can not change the severity for Vulnerabilities in 3.1 but you can change the default action. OBJECTS tab >> Security Profiles >> Vulnerability Protection Click  "New" to create a new profile. Name the profile. Describe the profile (Optional) Set "Rule Type" = Custom Steve Krall ... View more

Is there any way to change the "Severity" of threats? Looks like Brute Force Attempts are set to "Informational".  Now QRadar doesn't receive any Brute Force Attempts.  There's probably other threats defaulted to "Informational" that I may need to change. ... View more

Good to know that all URL traffic is set to "informational".  QRadar not being able to receive "informational" threats is better than QRadar receiving Alerts for every single URL accessed.  Thank you for your help! ... View more

The reason I need to seperate the profiles into two different rules is because we are forwarding the logs to our Central Log Manager(QRadar).  I set the first rule for just URL Filtering Profile on 80/443, and to "Alert" on allowed sites(I set to "Alert" so I can keep a log in Palo Alto of all the allowed sites).  On this rule, I do NOT forward logs to QRadar.  If I do, all of the allowed sites show up as "offenses" because they are set to "Alert" in PaloAlto. I then set up a second rule below this first to run the AV, Spyware, etc. profiles on 80/443.  This rule does forward logs to QRadar.  BUT, I've been noticing all traffic on 80/443 skips over this second rule after it hits the first rule.  I'm not sure if there's any other way to do what I need... ... View more

TLK Support wrote: If you are talking about the URL Filter set them to "Alert" instead of "Allow" Then they are logged under Monitor - URL Filtering Regards Marco I've actually tried this, but our SIEM(qradar) does not like it.  It will send all allowed sites to qradar as an Alert, which ultimately generates a lot of false offenses.  Also, that method won't show me sites that I specify in the "allow list sites".  I don't understand why we can view allowed sites in the ACC, but not anywhere else. ... View more

I was just about to start a topic on this.  I can confirm this issue.  The scroll bars are missing in other tabs as well.  You can not scroll through the logs in the monitor tab. ... View more

I don't have a specific example yet, It was a question that came about from curiousity.  Instead of checking the logs every now and then, I thought it would be a good idea to be able to be notified of a particular threat(s) as it happens.  Not just all the ones that fall under the same Severity level. edit: Here's an example.  It would be nice to be notified when Palo Alto detects a user using any kind of "remote-access" application as it happens. ... View more

swhyte wrote: Hello Jambulo, the only way to do this is to create another vulnerability profile, add the desired exception, then create another policy that details your desired granularity (source ip, destination ip, etc..) and add that new vulnerability profile to it. thanks, Stephen Thanks for the tip...I tried it and it works, but have 2 concerns... 1) When I create a new policy that includes a specific IP address and the new vulnerability profile, it does work correctly at ignoring the vulnerability.  BUT, ANYTHING that comes through with the IP address stated in the new policy, gets labeled as using the "rule" for that new policy.  It looks like the policies are using a Bolean OR operator, when it should be using AND. 2) If I had to create multiple policies for multiple exceptions, would it create a lot of exta load? Since it scans through all the vulnerabilities minus the exception in Policy 1, then scans through all the vulnerabilities minus the exception in Policy 2, and so on...(I have Packet Capture on too) ... View more