Create Threat Exceptions for specific traffic

At some point you might encounter a false-positive threat that you want to make an exception for. If you know a file is safe if its downloaded from a specific place but you don’t want other files classified with the same threat ID/name to be whitelisted, you can create a separate security profile.

Start by identifying the traffic and where it’s blocked. In this example the file got blocked by the vulnerability protection-profile.

Click on the magnifying class to see more detailed information and find the threat ID.

If we look in the detailed section we can see that the threat ID is 39040 for this threat-name.

Go to Objects > Security Profile > Vulnerability Protection. Since we want to specify what traffic this is whitelisted on we need to create a separate profile so the current security policys is unaffected.

Clone the profile that are currently used for this kind of traffic and rename it properly. Go to the exceptions-tab and select ”Show all signatures”. Type the threat ID, press enter and enable the signature.
Press on the current action (default (alert)) and change it to allow or leave it at default. In this example I will select default (alert) since I still want it to be logged.

When this is done we can either add it to a new Security Profile Group or add it directly to a new Security Policy. Here we will add it directly to a security policy.

Create a new Security Policy above the one that blocked the file.

Specify you source adress and destination.
In the actions-tab, select Profile Type: Profiles and under Vulnerability Protection: <The profile you created>

Commit and verify that the traffic hits the correct Security Policy and is logged with alert.

Be very cautious when you create exceptions and always make sure you only allow the traffic you intended. Always make sure you look at alternative ways before creating an exception.

The same method can be applied on different security profiles.

 

Disclaimer: All information on this blog is offered "as is" with no warranty. It is strongly recommended that you verify all information and validate all scripts in isolated test environments before using them in production environments.