What is the behavior when IP address/s are added under "IP-address-exemptions" for spyware/threat exception?

What is the behavior when IP address/s are added under "IP-address-exemptions" for spyware/threat exception?

19142
Created On 07/16/20 04:11 AM - Last Modified 11/01/23 19:25 PM


Question



What is the behavior when IP address/s are added under "IP-address-exemptions" for spyware/threat exception with modified signature action?
When an IP address is added under the "IP address-Exceptions" tab, the common assumption is any traffic that matches with IPs is exempted from the modified action in that threat or spyware signature. In reality, the modification in the threat/spyware signature will be applied to these IPs not exempted.



 

Environment


  • All PAN-OS
  • Palo Alto Firewall.
  • Anti-Spyware or threat Profile configured.

 

Answer


When an IP address is added under the "IP address-Exceptions" tab, the common assumption is any traffic that matches with IPs is exempted from the modified action in that threat or spyware signature. In reality, the modification in the threat/spyware signature will be applied to these IPs not exempted. With that said, when adding IP exemption, means any traffic with that IP as source or destination will have the exception, everything else will fire.
  • A threat exception has been created under profile-> vulnerability -> exception to overwrite the default actions or actions defined in the security rule. This modified behavior will apply to each and all matching traffic.
  • Now in some cases, you want to apply this exception for only a few IP addresses and keep the default or configured actions for the rest of the traffic, you can add IPs under the "IP address-Exceptions" tab. That allows you to use the same vulnerability profile but have two different behavior based on source or destination IP.
User-added image
  • You can add up to 100 IPs per signature, and these IP addresses can be source/destination IPs.
  • This functionality is often incorrectly perceived as "IPs under the IP exception tab will be exempted from the modified behavior," in contrast, the new behavior will only apply to these IPs, while every other traffic will be exempted. 
  • Example:
    • Your threat profile signature policies are configured to reset for all signature that has critical, high, and medium severity. That means any spyware signature that matches these criteria will have an action called "reset-both". 
User-added image
 
  • Now we added an exception in the threat signature and made the default action an alert. Also, add this only for one IP - 192.168.1.10
User-added image
 
  • From the threat logs, we can see the traffic from 192.168.1.10 has action as "alert" while the same kind of traffic from 172.168.1.10 is 'reset-both'.
User-added image
 


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UscCAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language