Palo Alto Networks Knowledgebase: How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats
How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats
Created On 08/05/19 19:22 PM - Last Updated 08/05/19 19:48 PM
This document describes how to use Anti-Spyware, Vulnerability Protection, and Antivirus Exceptions to change actions for specific threats on Palo Alto Networks firewalls.
Anti-Spyware or Vulnerability Protection Exceptions
For example: Add an Anti-Spyware Exception for threat ID #30003 to an existing profile named "Threat_exception_test_profile"
Go to Objects > Security Profiles > 'Anti-Spyware' or 'Vulnerability Protection'
Select the existing profile
click the "Exceptions" tab.
First, check the "Show all signatures" checkbox at the lower left hand part of the profile window.
In the search field, enter a string as "( ex. 'microsoft' )" or simply enter the threat ID number itself (ex. 30003). Press enter or click the green arrow to initiate the search. Note: If the signature being searched for was just applied in the latest dynamic update operation and it is not being returned in the search results, log out of the Web UI and then log back in to clear the GUI cache.
The results will return "Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability" (which is threat ID #30003). Note: Threat IDs can be easily determined from the threat logs.
To enable this exception, check the 'Enable' box
change the default 'Action' value to handle the non-excluded traffic. To allow the traffic, select Allow, or to drop the traffic select Drop. Threat Action detail - change default action.
Use the IP Address Exemptions column to add IP address filters to a threat exception. If IP addresses are added to a threat exception, the threat exception action for that signature will only be taken over the rule's action if the signature is triggered by a session having either the source or destination IP matching an IP in the exception. You can add up to 100 IP addresses per signature. With this option, you do not have to create a new policy rule and new vulnerability profile to create an exception for a specific IP address. In order to exclude certain IP addresses, and not all traffic, please click on the blank under "IP Address Exemptions", click Add at the bottom, and then add up to 100 IP's as you want into the list. IP Address Exemption detail.
Make sure that Anti-Spyware and or Vulnerability Protection profiles are applied to the appropriate security policies.
Commit changes to enable the Exception.
For example, to add an antivirus exception for threat ID #253879 to an existing profile named "AV_exception_test_profile": (Note: Be aware that if you exclude a Virus from bring checked against, this is all or nothing, you cannot exclude just an IP from this protection, it would be all that is allowed on that rule/antivirus policy).
Go to Objects > Security Profiles > Antivirus.
In the existing the profile, click on the Virus Exception tab.
Enter the ID value (for this example, 253879 ) into the Threat Id field at the bottom of the page, and click Add. Note: The threat id can be determined from the threat logs.
For this example, an exception for "Win32/Virus.Generic.koszy" is created. AntiVirus - Virus Excemption window detail.
Make sure that Antivirus profiles are applied to the appropriate security policies.
There is no option to exclude just certain IP addresses with an AntiVirus Exception.