Unable to locate threat ID 8002 for a vulnerability protection exception.
6314
Created On 07/03/22 14:21 PM - Last Modified 05/04/23 14:22 PM
Symptom
- The Threat Vault (https://threatvault.paloaltonetworks.com/) classifies the signature as "Vulnerability Protection Signatures".
- Unable to locate any threat IDs listed below to create an exception in the vulnerability protection profile.
Threat-ID 8001 This event detects a TCP port scan.
Threat-ID 8002 This event detects a host sweep.
Threat-ID 8003 This event detects a UDP port scan.
Threat-ID 8501 This event detects a TCP flood event.
Threat-ID 8502 This event detects a UDP flooding .
Threat-ID 8503 This event detects an ICMP flood.
Threat-ID 8504 This event detects the use of other IP (non TCP, UDP, or ICMP) packets for flooding attacks.
Threat-ID 8506 Flood SCTP INIT control chunk has been received (different connections)
Threat-ID 8507 Packet buffer protection enforcing RED packet drop.
Threat-ID 8508 Packet buffer protection enforcing session discard.
Threat-ID 8509 Packet buffer protection enforcing source IP block.
Environment
- Palo Alto Networks Firewalls.
- PAN-OS 8.1.0 and later versions.
- PAN-OS 9.1.0 and later versions.
- PAN-OS 10.0.0 and later versions.
- PAN-OS 10.1.0 and later versions.
- PAN-OS 10.2.0 and later versions.
Cause
- Although these threat IDs are identified as "Vulnerability Protection Signatures", all signatures ID in the ranges between 8500-8599 and 8000-8099 are associated with the protections available in the "Zone Protection" and "DoS Protection" profiles.
Resolution
- This is the expected behavior. Exceptions for these signatures are not to be found under the "Vulnerability Protection Profile".
- There are no threat exceptions for signatures related to "Zone Protection" and "DoS Protection". Only "Source Address Exclusion" is optional for "Reconnaissance Protection"
Additional Information
- What are the Threat IDs for Scan and Flood associated with Zone Protection?