How to Submit a Vulnerability Signature False Positive

How to Submit a Vulnerability Signature False Positive

Created On 09/25/18 18:59 PM - Last Modified 12/04/20 18:31 PM

When benign network traffic triggers a vulnerability signature, and you suspect that signature is trigger falsely. 

  • All PAN-OS version.

Traffic can be misidentified as one of the vulnerabilities. 


What PAN support need:

  •  Vulnerability signatures are based on the network traffic, hence the focus almost entirely on the data that is seen over the network when the signature fires and it is suspected to be False Positive. It is of utmost importance that complete packet capture that includes the full TCP/UDP transaction and a decent close is included which triggers the signature.

Why complete packet capture?

  • Vulnerability signature false positive investigations need the packet capture provided by a customer. PaloAlto technical support reproduces the issue by replay the packet capture in the lab.
  • The complete packet capture also provides additional 'context' when determining whether the alert is a false positive.
  • The extended packet captures for a specific threat signature ID is not an ideal solution to addressing the false positive, as the packet capture will begin to capture midway through an offending session. This will result in a packet capture that lacks session creation (SYN / SYN-ACK / ACK) which cannot be properly replayed without being doctored.


  1. Collect the output of "show system info" from the CLI of your firewall, or copy the "General Information" pane from the Dashboard of your WebGUI. Put this in the case.
  2. Identify a method of reproduction for the issue. This may involve interaction with either the host or server generating the traffic that triggers a signature or less direct methods of identifying a common source/destination/time of day for when the signature regularly triggers. This can be accomplished by evaluating the data available in your threat logs. Go to WebGUI > Monitor > Threat.
  3. Once a reliable source and/or destination of the offending traffic has been identified, packet capture can be created. This can be done in any number of ways a network administrator is comfortable with:
    3.1. Host-based packet captures on the client/server are fine, so long as they include the full session creation and traffic which generates the signature (Wireshark and TCPDUMP are two examples.)
    3.2.  Packet capture from the PAN-OS appliance is also a possibility! Full packet capture can be generated by creating filters for the source or destination of the traffic, setting the staging (firewall, drop, transmit, receive), enabling filtering, and then enabling the capture. For reference and assistance on the PAN-OS packet capture process, please see this link.
  4. Please provide the threat ID number being triggered, and the threat name being triggered. Alternatively, a threat log screenshot of the trigger will suffice as well. For example, Threat ID 37001 | Microsoft Internet Explorer Memory Corruption Vulnerability.
  5. Provide context on why it is believed that the signature trigger is a false positive. Some examples might include:
    5.1. The description of the target operating system/product in the vulnerability signature does not match a product or application in use in the environment. For example, seeing a vulnerability signature trigger that specifies a vendor name, operating system, or application which it is known is not in use on the network (and has been confirmed as not being in use.)
    5.2. The traffic was analyzed internally to be safe before being reported.
  6. Once all of this data has been gathered and placed in the support case, the packet capture can be analyzed and a verdict and possible fix can be reached.

  • Print
  • Copy Link

Choose Language