01-24-2024 02:52 AM
On our 5410 with PANOS 10.2.7-h3 installed I can see a lot of threats with ID 89953 (Inline Cloud Analyzed Unknown-TCP Command and Control Traffic Detection), severity = high, default action = alert.
I want to change the default action via Anti-Spyware-Profile > Inline Cloud Analysis, but it's not possible for this special threat.
Any idea how to change this?
Thx in advance
Thomas
01-24-2024 12:35 PM
You arent able to change the predefined security profiles if youre trying to change it from there. You would have to clone the profile and edit it there.
The threat ID is for this entirely, if you wanted to disable this you could set the action to alert. However, down below if where you can set specific exceptions for the threat.
01-24-2024 11:29 PM
Sure, I've always been using a custom profile and all actions within "Inline Cloud Analysis" are set to "reset-both".
What I've found out in the meantime:
In some rare cases threat IDs within the range 89950-89953 are blocked.
No idea why...
And I still want to block all those threats.
01-25-2024 06:20 AM - edited 01-25-2024 06:22 AM
Just to clarify, are you wanting to block or allow threat IDs 89950-89953? While I dont have much of this traffic being flagged in my environment, its possible that this operates similar to Wildfire, and it initially alerts/allows the traffic before the cloud comes back and says no for future connections.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
