Why a vulnerability signature action is set as "alert" while its severity is critical or high
24484
Created On 03/31/20 19:29 PM - Last Modified 01/20/24 13:36 PM
Question
A vulnerability signature action is set as "alert" while the severity of the signature is critical or high and it is providing coverage for a known CVE. The action should be either reset-both or reset-server or block.
Environment
All PAN-OS
Answer
There are two circumstances when a vulnerability signature action is "alert" and the severity is "critical" or "high."
- Recently found vulnerability:
- The default action is set as "alert" when we release a new vulnerability signature, despite the severity. Palo Alto's team observes the behavior of the signature for some time (a few weeks) before making the action as "reset-both," "drop," or any other action that can block the traffic.
- A vulnerability that has existed for a while:
- Another factor is Palo Alto's internal algorithm. For some signatures, the action is "alert" even if the severity is critical/high. If these vulnerabilities have existed for a while. It is due to Palo Alto Networks' internal logic depending on metrics, type of vulnerability, direct vs. indirect effect, soak sites, and feedback from production sites.
- What if I want to block based on severity despite of the default action:
- A signature with an action/severity combination of "alert/critical" can be blocked if your vulnerability protection rules are configured to block-based on "severity" critical. The simple-server-critical rule overrides the default action for any vulnerability signature that has a severity of critical; host type is server.
- The simple-client-critical rule overrides the default action for any vulnerability signature that has severity critical and the connection is initiated by the client.