How to Add Exempt IP Addresses from the Threat Monitor Logs

How to Add Exempt IP Addresses from the Threat Monitor Logs

67432
Created On 09/26/18 21:06 PM - Last Modified 04/15/21 22:10 PM


Symptom

Overview

This document describes the steps to add an Exempt IP address for a specific threat. This procedure is valid for all Vulnerability Protection, Anti-Spyware, and DNS signatures.



Environment
  • Palo Alto Firewall.
  • Any PAN-OS.
  • Exceptions to threats seen in Threat log 


Resolution

Steps

  1. Navigate to GUI: Monitor > Logs > Threat
Threat Log
 
  1.  Hover over the target threat name, a pulldown ▾ icon will show right to the Threat name. Click the ▾ pulldown Icon and select "Exception". This is the threat to which the exempt IP addresses are to be added.
Threat Details
  1. Make sure there is a vulnerability profile associated with a security policy. In this example, the 'test123' vulnerability profile has been applied. At this point, check the box to highlight the profile and add the IP address (as shown in the image below). Click OK.
    Note: The IP address can be the Victim or Attacker (source address or destination address ) as shown in the following logs.
Threat Details
 
  1. Confirm the updates by going to the vulnerability profile and clicking on the exceptions tab. From there, click on the 'IP Address Exemptions" applet, as shown below, to verify the changes.
Threat ID
 
  1. After you verified changes and confirmed IP addresses of hosts are entered correctly, click OK.
  1. Now access the Vulnerability Protection profile and verify if the created exception's default Action for the signature matches up with what is intended to happen with the traffic matching the IP address exemption. If the default action is not what is intended, adjust it to the correct Action.
Threat ID
 
  1. Commit the configuration. From now on, in this example, traffic from or to IP address(es) added to the list of Exempt IP addresses will trigger a default(alert) action for this vulnerability signature (for traffic matching a Security Policy tied to this Vulnerability Profile). All other traffic not matching the granular Exception (granular Exception, meaning an Exception that has IP Address Exemptions configured) will execute the actions defined in the Vulnerability Profile's 'Rules' tab. 
  2. Exception adds to DNS Signature by threat monitor logs is different the other two. You can't add an IP address in the exception list.
    1. Starting with PAN-OS 9.0, PaloAlto networks introduce another type of signature -DNS security. An exception can be added to the DNS signature by selecting through threat logs. 
User-added image
   2. The exception is added, however,  there is no place to add the IP address. This exception is added for any traffic that will match this profile. 
User-added image


Additional Information
Related KB articles: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UscCAE
 
Note that often times IP Address Exemptions are incorrectly interpreted as Exceptions to the Exceptions, however, the correct interpretation of IP Address Exemptions is that they make Exceptions more granular.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm60CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language