1) the custom signature itself is enabled as soon as you hit commit and will be applied to all security rules where an appropriate security profile is enabled.
the 'action' it takes from that moment forward depends on a) the severity level of the signature and b) the action set for the same severity level in the security profile
2) once you add an exception (that is enabled) you apply a different action to a specific signature regardless of the overall rules of the security profile (i.e. sigX is 'high', profile says drop critical,high,medium, override says alert for sig X)
I answered my own question, but it does bring up something interesting.
The short version is that someone had setup a Vulnerability Protection Profile Exception, but never Enabled it.
Once I Enabled it, we could ping any size and it showed in the logs as Action Alert and not Drop.
But what is really interesting is that as part of the troubleshooting process, I had increased the Custom Vulnerability Signature to 105 from 100. At that point I was able to ping up to 105 bytes up from 100 previously even though it was never Enabled.
So it seems like it is still processed, but Dropped at the limits set within the Signature unless you have it Enabled with the Action that you want. Weird, right?
well there's 2 things that make up your issue:
1) the custom signature itself is enabled as soon as you hit commit and will be applied to all security rules where an appropriate security profile is enabled.
the 'action' it takes from that moment forward depends on a) the severity level of the signature and b) the action set for the same severity level in the security profile
2) once you add an exception (that is enabled) you apply a different action to a specific signature regardless of the overall rules of the security profile (i.e. sigX is 'high', profile says drop critical,high,medium, override says alert for sig X)
I answered my own question, but it does bring up something interesting.
The short version is that someone had setup a Vulnerability Protection Profile Exception, but never Enabled it.
Once I Enabled it, we could ping any size and it showed in the logs as Action Alert and not Drop.
But what is really interesting is that as part of the troubleshooting process, I had increased the Custom Vulnerability Signature to 105 from 100. At that point I was able to ping up to 105 bytes up from 100 previously even though it was never Enabled.
So it seems like it is still processed, but Dropped at the limits set within the Signature unless you have it Enabled with the Action that you want. Weird, right?