Why a vulnerability signature action is set as "alert" while its severity is critical or high

• Recently found vulnerability:
  • The default action is set as "alert" when we release a new vulnerability signature, despite the severity. Palo Alto Networks observes the behavior of the signature for some time (a few weeks) before changing the action to be the one that can block the traffic, such as "reset-client", "reset-server", "reset-both", "drop", "block-ip".
• A vulnerability that has existed for a while:
  • Another factor is Palo Alto Networks' internal algorithm. For some signatures, the action is "alert" even if the severity is critical/high and the vulnerability is not a recent one. It is due to Palo Alto Networks' internal logic depending on metrics, type of vulnerability, direct vs indirect effect,  soak sites, and feedback from production sites.

• The action of the signature can be changed from the default action to a different one. The example below shows that the simple-server-critical rule overrides the default action for any vulnerability signature that has a severity of critical; host type is server.

• The simple-client-critical rule overrides the default action for any vulnerability signature that has severity critical and the connection is initiated by the client.

 

See Also:

• https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles
• How does vulnerability scoring (severity) is determined by Palo Alto networks?