Creating a vulnerability exception will add a particular exemption for all the traffic specified on the security rule, this will function globally for all the IP addresses specified in the subnet called under that rule. However, it is also possible to make this exemption to specifically exempt only for one particular source and one particular destination of the subnet called in the security rule.
Use the IP Address Exemptions column to add IP address filters to a threat exception. If IP addresses are added to a threat exception, the threat exception action for that signature will only be taken over the rule's action if the signature is triggered by a session having either the source or destination IP matching an IP in the exception.
1. Inside of the WebGUI, go to Objects > Security Profiles > Vulnerability Protection > click on the Exceptions tab and enter the Threat ID and click Enable. Give both the Source and Destination IP addresses to be exempted on the exception list.
2. After specifying the Source and the Destination IP address, the Palo Alto Networks firewall will still be able to exempt based upon the Source IP address 220.127.116.11. In order to track the destination, specify the action as block IP and specify both the Source and Destination IP address for tracking, also specify the time interval.
3. Now the firewall will be able to look into both the Source and Destination IP address for exemption, and if either the Source or the Destination IP address is there in the exception list, then the rule will block the traffic for 3600 seconds.
For more information on configuring exceptions, please see: