This document describes the steps to add an Exempt IP address for a specific threat. This procedure is valid for all Vulnerability Protection, Anti-Spyware, and DNS signatures.
Palo Alto Firewall.
Exceptions to threats seen in Threat log
Navigate to GUI: Monitor > Logs > Threat
Hover over the target threat name, a pulldown ▾ icon will show right to the Threat name. Click the ▾ pulldown Icon and select "Exception". This is the threat to which the exempt IP addresses are to be added.
Make sure there is a vulnerability profile associated with a security policy. In this example, the 'test123' vulnerability profile has been applied. At this point, check the box to highlight the profile and add the IP address (as shown in the image below). Click OK. Note: The IP address can be the Victim or Attacker (source address or destination address ) as shown in the following logs.
Confirm the updates by going to the vulnerability profile and clicking on the exceptions tab. From there, click on the 'IP Address Exemptions" applet, as shown below, to verify the changes.
After you verified changes and confirmed IP addresses of hosts are entered correctly, click OK.
Now access the Vulnerability Protection profile and verify if the created exception's default Action for the signature matches up with what is intended to happen with the traffic matching the IP address exemption. If the default action is not what is intended, adjust it to the correct Action.
Commit the configuration. From now on, in this example, traffic from or to IP address(es) added to the list of Exempt IP addresses will trigger a default(alert) action for this vulnerability signature (for traffic matching a Security Policy tied to this Vulnerability Profile). All other traffic not matching the granular Exception (granular Exception, meaning an Exception that has IP Address Exemptions configured) will execute the actions defined in the Vulnerability Profile's 'Rules' tab.
Exception adds to DNS Signature by threat monitor logs is different the other two. You can't add an IP address in the exception list.
Starting with PAN-OS 9.0, PaloAlto networks introduce another type of signature -DNS security. An exception can be added to the DNS signature by selecting through threat logs.
2. The exception is added, however, there is no place to add the IP address. This exception is added for any traffic that will match this profile.
Additional Information Related KB articles: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UscCAE
Note that often times IP Address Exemptions are incorrectly interpreted as Exceptions to the Exceptions, however, the correct interpretation of IP Address Exemptions is that they make Exceptions more granular.