Posted in : Other By Petter Vikström Translate with Google ⟶

5 years ago

At some point you might encounter a false-positive threat that you want to make an exception for. If you know a file is safe if its downloaded from a specific place but you don’t want other files classified with the same threat ID/name to be whitelisted, you can create a separate security profile.
Start by identifying the traffic and where it’s blocked. In this example the file got blocked by the vulnerability protection-profile.
Click on the magnifying class to see more detailed information and find the threat ID.

If we look in the detailed section we can see that the threat ID is 39040 for this threat-name.

Go to Objects > Security Profile > Vulnerability Protection. Since we want to specify what traffic this is whitelisted on we need to create a separate profile so the current security policys is unaffected.
Clone the profile that are currently used for this kind of traffic and rename it properly. Go to the exceptions-tab and select ”Show all signatures”. Type the threat ID, press enter and enable the signature.
Press on the current action (default (alert)) and change it to allow or leave it at default. In this example I will select default (alert) since I still want it to be logged.

When this is done we can either add it to a new Security Profile Group or add it directly to a new Security Policy. Here we will add it directly to a security policy.
Create a new Security Policy above the one that blocked the file.
Specify you source adress and destination.
In the actions-tab, select Profile Type: Profiles and under Vulnerability Protection: <The profile you created>

Commit and verify that the traffic hits the correct Security Policy and is logged with alert.

Be very cautious when you create exceptions and always make sure you only allow the traffic you intended. Always make sure you look at alternative ways before creating an exception.
The same method can be applied on different security profiles.
 

Tags : Exception, Palo Alto, Threat, Vulnerability Protection

Personlig rådgivning

Vi erbjuder personlig rådgivning med författaren för 1400 SEK per timme. Anmäl ditt intresse i här så återkommer vi så snart vi kan.

Add comment

Your comment will be revised by the site if needed.

Teams is replacing Skype for Business - how does it (really) work for the user?

Back to all articles

How to handle pinned start menu apps in Windows 10

Xenit är ett tillväxtbolag med tjänster inom cloud och digital transformation. Våra engagerade specialister inspirerar, utmanar och vägleder företag och organisationer till molnet – alltid med affärsnytta och slutanvändarens frihet i fokus.

Integritetspolicy

Vulnerability Disclosure Policy

Visselblåsarportal

Kontakt

GÖTEBORG
Kungstorget 7
411 17 Göteborg
+46 (0) 10 707 35 00
info@xenit.se
Visa på karta

STOCKHOLM
Kungsgatan 5
111 43 Stockholm
+46 (0) 10 707 35 00
info@xenit.se
Visa på karta

Sidor

IT-tjänster
Kundcase
Karriär
Om Xenit
Nyheter
Tech blog
Kontakt

 

Support

För våra avtalskunder finns våra specialister redo. Ring oss på +46 (0) 10 707 35 80. 

Copyright © 2024 Xenit