Missing Threat ID in the exception tab of Vulnerability Protection Profile on WebGUI

Missing Threat ID in the exception tab of Vulnerability Protection Profile on WebGUI

24898
Created On 05/13/20 03:45 AM - Last Modified 06/02/23 03:02 AM


Symptom


This KB article explains the situations where a certain Threat ID isn't displayed under WebGUI > Object > Security Profiles > Vulnerability Protection > Exceptions.

Cause


1. Firstly, make sure to check the checkbox of "Show All Signatures".


User-added image


 

2. Check if the Threat ID is supported in the PAN-OS version that the firewall is running.


This information can be found in Palo Alto Networks Content Update Release Notes as well as on Threat Vault (https://threatvault.paloaltonetworks.com/).

Here's the example of Palo Alto Networks Content Update Release Notes.
User-added image

In this example, we can see that there are two signatures (57836 and 57837) released for the same vulnerability (CVE-2020-0796).

Threat ID 57836 was made for PAN-OS 8.1.0 or later.
Threat ID 57837 was made for PAN-OS 7.1.0 ~ PAN-OS 8.0.x.

Note:
"Maximum PAN-OS Version 8.1.0" means, "PAN-OS Version < 8.1.0".

The signature decoder behaves differently depending on the PAN-OS versions, so sometimes two signatures are generated for the same vulnerability like this case.


As a result, PAN-OS 8.1.0 or later shows Threat ID 57836 under the exception setting but does not show Threat ID 57837.

To be precise, it works in that way in PAN-OS 8.1.3 or later due to the following fix.
PAN-92745 (Fixed in 8.1.3, 9.0.0) - "Fixed an issue where the Vulnerability Protection profile exceptions view included threat IDs that were disabled or not supported for the PAN-OS release version. Now, only IDs for signatures that are included in the currently installed content package are displayed."

Note:
The change of PAN-92745 was made only for WebGUI, thus disabled or non-supported signatures are still displayed on CLI.


Here's the example of Threat Vault.
User-added image


 

3. Check if the Threat ID was already disabled.


As described above, disabled signatures are not displayed on WebGUI as well. This information can be found in Palo Alto Networks Content Update Release Notes as well as on Threat Vault (https://threatvault.paloaltonetworks.com/).

Here's the example of Palo Alto Networks Content Update Release Notes.
User-added image


Here's the example of Threat Vault.
User-added image

 

 


In case a Threat ID isn't displayed on WebGUI even if the signature is supported and is not disabled, please refer to the resolution section below.

 



 


Resolution


In case a Threat ID isn't displayed on WebGUI even if the signature is supported and is not disabled, please contact Palo Alto Networks Support with the following information.

  • Tech Support file
  • Screenshot (WebGUI > Object > Security Profiles > Vulnerability Protection > Exceptions)



The workaround is to set exception on CLI.

> configure
# set profiles vulnerability <Profile Name> threat-exception <ID>

 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U27CAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail